Comments (3)
Hi @alex88
First of all, thanks for the issue.
I'm not completely sure if you want to validate the access_token on the client or resource server (API) side.
For JWT access_token there's now finally a RFC: https://www.rfc-editor.org/rfc/rfc9068.html
I believe this would be handy for clients or resource servers.
We have not yet decided whether and, if so, when we will implement it.
Would you consider implementing it?
In the meantime there are already possibilities you could use (regardless if the access_token is a JWT or an opaque string)
-
From a client perspective:
There's theVerifyAccessToken
which will validate it using theat_hash
from the id_token:
https://github.com/caos/oidc/blob/eb10752e485ced36bd996bcb290c6e617f5ea449/pkg/client/rp/verifier.go#L93
From the token endpoint response you would also get theExpiry
of the access_token.
And as the access_token might get revoked or otherwise invalidated at any time, I would simply send it to the resource server and handle a HTTP 401 response by reauthenticating the user (with a refresh_token or a new login flow) -
From a resource server (API) perspective:
I'd use the introspection endpoint to validate the access_token. Given the access_token is a JWT, there would be the possibility to validate it directly as mentioned above.
The advantage of using the introspection endpoint is, that you would be sure the token is still active and has not been revoked. For performance issues, there would also be the possibility to cache the introspection result for a given time, depending on the security needs of the api.
I hope I have been able to help you a little further.
from oidc.
Hi @livio-a, sorry for the delay..
My initial idea was to validate the access token in the resource server.
My use case was to build a custom auth proxy for grafana, this proxy would do the oauth part with this library and then after getting the access token I would have to validate and decode it and set appropriate grafana headers like user email/role etc.
Unfortunately I ended up not using this library because I've found an easier way to handle authentication without having to build a proxy layer.
Thank you a lot any way for your help!
from oidc.
Closing this issue as it looks resolved/discussed.
from oidc.
Related Issues (20)
- return an ID token with Device Authorizaiton HOT 1
- [Spike]: OpenID Conformance testing suite
- Need to add a "typ":"JWT" header to my tokens HOT 1
- proposal(op): new server interface to replace storage HOT 8
- state always returned in access token response HOT 2
- JWT Assertion payload does not match RFC example when generated with OIDC relying party HOT 8
- [Bug]: Client Assertion token request includes basic auth header HOT 3
- PKCE support is not enough HOT 1
- use trace id of external service HOT 2
- Allow custom forwarded header HOT 2
- [Bug]: client invalid signature when OIDC server is restarted HOT 2
- The automated release is failing 🚨
- [Bug]: nil pointer dereference in `crypto.BytesToPrivateKey` HOT 3
- Access to auto discovery configuration HOT 3
- Allow empty nonce from ID Tokens issued from Refresh Tokens HOT 10
- Support form_post OIDC response mode HOT 4
- Do not ignore all JWKS parsing errors HOT 1
- [Bug]: nil pointer dereference when not setting unauthorized handler HOT 2
- Switch to `log/slog` HOT 2
- [Bug]: The behavior of response_mode does not adhere to the guidelines HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc.