Comments (8)
Fosite does not make implications how you handle this because Fosite does not know your requirements and environment. Additionally, OAuth2 does not specify how resource servers validate the issued tokens.
There are multiple ways to handle token validation:
- Use JWT with asymmetric cryptography
- Define your own token generation strategy
- Do a database lookup, using for example
Storage.GetAccessTokenSession
. This is neccessary if you use token revokation.
Depending on your use case, you can chose one or multiple of the things above. It would however be a good idea to have a validation example in the exemplary app. If you want to, give it a shot and create a PR - that's the best way to learn :)
from fosite.
If you use HMAC as token strategy, a client-side cryptographic validation of the tokens is not possible because you need both the global secret and the client secret. In that case a database lookup would be best.
from fosite.
I'd definitely send a PR once I figure things out. But I think I might still not be getting the concepts right. I'm very new to OAuth in general, just getting started.
from fosite.
I see :) OAuth2 can be very tricky, especially with so many different workflows and extensions. If you need help, feel free to ask any time.
from fosite.
I took a little time to think about this issue and there must be a standard way for validating tokens. I will think about this issue over the next few days and hopefully come up with a good, extensible solution.
from fosite.
I will see if i have time to fix a simple middleware example that is able to validate the token using either a shared secret (via HMAC) or with Certificates (JWT, for more manageable security) in the coming day or two. :)
from fosite.
Nice @leetal !
from fosite.
This will be covered in #31
from fosite.
Related Issues (20)
- Best way to replicate a refresh_token flow using Fosite. HOT 5
- RFC7523: Store the payload of the supplied JWT for later use in token hook in Hydra HOT 6
- Add custom form_post response writer HOT 1
- github.com/square/go-jose is deprecated HOT 3
- upstream reference closed: github.com/square/go-jose/issues/353 HOT 1
- RFC7523: Allow associating an audience allow list to a public key trust. HOT 1
- Auth Req omitted response_mode does not validate the default response_mode against the ResponseModeClient
- Failing to fetch a PKCE request session fails requests even when PKCE is not enforced HOT 3
- redirect_uri matching does not follow RFC3986 HOT 2
- Changelog is out of sync
- During refresh token grant if token is invalid or expired return status code should be 400 HOT 3
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.