OAuth2 Authorization Code Grant Flow #247
Conversation
johakoch
force-pushed
the
oauth2-ac
branch
9 times, most recently
from
13c73b0
to
1a02ddb
Compare
|
Im Moment ist es so implementiert, dass erwartet wird, dass Code-Verifier oder CSRF-Token als solche an den Browser gehen: Im Request an den Redirekt-Endpunkt müssen sie aus dem Request ermittelbar sein (z.B. im Cookie). Dafür gibt es die Konfigurations-Attribute oauth2 "my-ac" {
...
code_verifier_value = request.cookies.cv
# csrf_token_value = request.cookies.ct
...
}Ohne einen zentralen Store ist es dann auch wahrscheinlich, dass Access-/Id-/Refresh-Tokens als solche (als Cookie) im Browser gespeichert werden. Hätte man einen (von verschiedenen Couper-Instanzen verwendeten) zentralen Store, könnte man die Tokens selbst im Store speichern und nur eine Referenz darauf an den Browser gehen. Das würde ggfs. die Sicherheit noch erhöhen. |
The current idea is, that But I would rather make that token store a built-in feature that is configured outside of the AC. We could then reference it with a new set of config attributes that are mutually exclusive with For the task here, I agree that we can proceed with the value-approach. |
| // Validate implements the AccessControl interface | ||
| func (oa *OAuth2Callback) Validate(req *http.Request) error { | ||
| if req.Method != http.MethodGet { | ||
| return errors.Oauth2.Messagef("wrong method: %s", req.Method) |
There was a problem hiding this comment.
This applies to all Oauth2 errors, could we add more context e.g. oa.conf.Name as .Label(...) ?
There was a problem hiding this comment.
Should the caller give the context? Or the callee?
docs/README.md
Outdated
| | `csrf` | <ul><li>⚠ one of `pkce` or `csrf` is mandatory.</li><li>Use `state` or `nonce` for protection against CSRF.</li></ul> | | ||
| | **Attributes** | **Description** | | ||
| | `authorization_endpoint` | <ul><li>⚠ Mandatory.</li><li>The authorization server endpoint URL used for authorization.</li></ul> | | ||
| | `token_endpoint` | <ul><li>Optional.</li><li>The authorization server endpoint URL used for requesting the token.</li></ul> | |
There was a problem hiding this comment.
The documentation needs to be rebased but this table should get another column for required/optional instead of html listings. Other tables will be adapted soon.
…llenge(); tests, documentation
Move to lib package
…r) and b) OAuth2ReqAuth (the request authorizer / token user)
… than credentials)
…rant flow" Reintroduced userinfo request for OIDC conformance tests. This reverts commit 0d1c4e7.
Co-authored-by: Marcel Ludwig <marcel.ludwig@avenga.com>
…ifferent from id_token_claims
Solving Conflicts: * CHANGELOG.md * docs/REFERENCE.md * eval/context.go * eval/lib/jwt.go and adding more documentation
* Fix oauth_authorization_url function call to undefined reference * Fix missing cache setup on conf dry run * Fix missing name log value * oidc block ttl attribute is optional now; with 1h default * Change: oauth2/oidc redirect_uri attribute gets evaluated per request now * Add shutdown logAll hook entries for failed tests * Remove obsolete method #247 * Add oidc eval test * fixup obsolete assignment * Fixup possible startup errors while fetching the oidc configuration Pass uid Fixed missing update of the jwt parser if the issuer has been changed * Change memCache set/get to interface{} value * Fixup missing lock on oidc configuration refresh * Renamed CallbackURL -> RedirectURI * Ensure that redirectURI is not empty * Handling of undefinied reference in saml_sso_url() similar to beta_oauth_authorization_url() * Do not load openid configuration at start-up; only GetVerifierMethod() and GetAuthorizationEndpoint() need uid, as they are the first methods calling the openid configuration * Reference() already in config.OIDC; removed from oidc.Config * split OAuth clients code into different files * better error log messages * removed unused return values * more information in OAuth2 error messages * renamed beta_oidc.ttl -> beta_oidc.configuration_ttl * missing optional configuration_ttl does not crash Co-authored-by: Johannes Koch <johannes.koch@avenga.com>
No description provided.