Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support client_secret on authorization_code grants #405

Open
3 of 4 tasks
evert opened this issue Jul 4, 2022 · 0 comments
Open
3 of 4 tasks

Support client_secret on authorization_code grants #405

evert opened this issue Jul 4, 2022 · 0 comments
Labels
enhancement New feature or request

Comments

@evert
Copy link
Member

evert commented Jul 4, 2022

Pointed out in this ticket: badgateway/oauth2-client#70

authorization_code should support sending client_secret. After we support this we should also ensure that if client_secret is passed to get the token, it should also be passed every time the token is refreshed. This means we need to start tracking if a client_secret was used to obtain the original token.

This feature can pretty much be done in multiple steps:

  • Support client_secret with authorization_code.
  • Track in the oauth2_token table which grant_type was used to issue the token.
  • Track in the oauth2_token if a client_secret was used to issue the token.
  • Enforce that if a client_secret was used to issue a token, it must be specified when refreshing the same token.
@evert evert added the enhancement New feature or request label Jul 4, 2022
@evert evert moved this to Todo in a12nserver v0.21 Jul 17, 2022
evert added a commit that referenced this issue Sep 12, 2022
This became a bit bigger than expected, but:

* Refactors the OAuth2 service to have more consistent function
  signatures.
* Adds token statistics to the oauth2 homepage.
* Stores the 'grant_type' and whether a 'secret' was used in the tokens
  table.
* We're now storing 'scope' for every token. This OAuth2 feature wasn't
  really used by this server, but this sets up the first steps for this.
* Fixes a bug related to generating principal uris in the introspection
  endpoints.
* Has more explicit support for the 2 a12nserver-specific oauth2 flows:
  "developer tokens" and "one-time-tokens".

Other side-effects of this PR:

* A few step furthers in #405
* Some progress towards OpenID Connect support (scopes are important for
  this).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
No open projects
Status: Todo
Development

No branches or pull requests

1 participant