-
Notifications
You must be signed in to change notification settings - Fork 514
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make SuperTokens an OAuth and Open ID provider #582
Comments
Thank you for sending this to me. Neither of the documents is publicly visible, though. |
@ykdojo those docs are internal at the moment. You can follow this issue to be notified when we release this feature. |
CronjobsTODO |
New core configs
|
|
Hydra
Expected core response:
DELETE
Expected core response:
POST
Expected core behaviour:
PATCH
expected core behaviour:
|
Hydra /oauth2/auth endpoint behaviour:
Expected core behaviour:
|
Opened this in favour of: https://github.com/supertokens/for-zenhub/issues/108
We want to support:
Google doc discussion here:
Test case TODOs
TODO
grantType
toOAuth2TokenInfo
. The grantType field should be an enum that includes the following values: AUTH_CODE, REFRESH_TOKEN, AUTH_CODE_PKCE, and CLIENT_CREDENTIALS.query_string
field of type TEXT to auth_code and access_token tablesquery_string
param in request as well as response.buildAccessToken
andbuildIdToken
recipe functions should also return a useDynamicSigningKey arg (which will be true by default).TODOs with hydra:
Since the access tokens will be signed by the same private key across apps, then devs must check the audience before using the access token.. We will be resigning the access tokens returned by hydra in the core. By default, we use static signing keys to create the jwt, but this can be core config.ory
from the oauth code token.verifyOAuthAccessToken
, which is like getSession, but it only works for oauth access token.verifyOAuthIdToken
http://localhost.com:3005/auth/callback/ory?error=invalid_scope&error_description=The+requested+scope+is+invalid%2C+unknown%2C+or+malformed.+The+OAuth+2.0+Client+is+not+allowed+to+request+scope+%27profilee%27.&state=%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BDv%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD%EF%BF%BD
redirect_uri
, but I see no strong reason to disallow it.tenant_id
query param in the auth urltenantId
queryparam when redirecting to the auth pagetenantId
queryparam and only then defaulting to usepublic
client_secret_basic
andnone
fortokenEndpointAuthMethod
(core validation)clientId
andclientSecret
not customizable (generated in the Core)skipConsent
will always be set to true in the core (removed from the interface)accessTokenStrategy
will always be set to jwt in the core (remove from the interface)subjectType
will always be set to public (remove from the interface)authorisationUrlGET
from the API interface and associated inputs from config because we expect users to use a library and to avoid the extra API call.rawUserInfoFromProvider
torawUserInfo
redirectURIOnProviderDashboard
toredirectURI
signInPOST
state
(at least 8 characters) long is required in the authorization url. As per the RFC, it is recommended but not Required. However, Hydra makes it a requirement.WWW-Authenticate: Bearer error="invalid_token", error_description="The access token expired"
header.The text was updated successfully, but these errors were encountered: