Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Returning Valid token_type in Introspection Response #486

Merged
merged 11 commits into from
Oct 6, 2020
Merged

fix: Returning Valid token_type in Introspection Response #486

merged 11 commits into from
Oct 6, 2020

Conversation

ajanthan
Copy link
Contributor

Related issue

ory/hydra#1762

Proposed changes

  • Added fix to return bearer or mac in token_type of introspection response based on the type of the token being introspected

  • If the token type is access_token it returns bearer always as mac is not supported now.

  • Added extra attribute token_use to return the token type access_token or refresh_token.

Checklist

  • I have read the contributing guidelines
  • I have read the security policy
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got green light (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature works
  • I have added necessary documentation within the code base (if appropriate)

Further comments

@ajanthan
Copy link
Contributor Author

cc @aeneasr

aeneasr
aeneasr reviewed Sep 30, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for this PR! I looked a bit into Mac-based HTTP based authentication and could not find anything related to OAuth2 except for this draft which expired 2014 while HTTP Bearer token is an accepted standard.

I think it's therefore safe to assume that fosite always returns a bearer token, which is great, because then we do not have to break backwards compatibility any more! So all we have to do is update the introspection writer!

I just realized that the request parameters have a token_type_hint parameter which can be access_token or refresh_token (see also RFC7009) but then return token_type in a completely different context (related to the HTTP auth mechanism). Classic OAuth2 ...

introspection_request_handler.go Outdated Show resolved Hide resolved
@ajanthan ajanthan requested a review from aeneasr October 2, 2020 06:19
aeneasr
aeneasr reviewed Oct 2, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks pretty good but I have some ideas how to improve it further :)

handler/oauth2/introspector.go Outdated Show resolved Hide resolved
handler/oauth2/introspector_jwt.go Outdated Show resolved Hide resolved
introspect.go Outdated Show resolved Hide resolved
oauth2.go Outdated Show resolved Hide resolved
@ajanthan ajanthan requested a review from aeneasr October 2, 2020 16:30
aeneasr
aeneasr approved these changes Oct 6, 2020
View reviewed changes
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome 🎉

Thank you for your contribution!

oauth2.go Outdated Show resolved Hide resolved
@aeneasr aeneasr merged commit 4b81316 into ory:master Oct 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ajanthan @aeneasr