Add optional token_endpoint to IdP config
#584
Comments
|
Oh interesting. Are you suggesting we add this optional parameter in the config URL and then perhaps include it directly from IdentityCredential so that the RP knows where to exchange the token they receive from FedCM right away? This seems reasonable to me, and fairly simple for the browser to do. The naming is a bit tricky though since we'd want to make sure it is clearly different from the ID assertion endpoint, which in turn used to be called the token endpoint |
|
Ha, that's an interesting proposal indeed.
Speaking of profiling OAuth/OIDC, have you considered an alternative design where you make the IdP return an agreed upon JSON object that contains both the For example: const credential = await navigator.credentials.get({
identity: {
providers: [{
configURL: "any"
}]
}
});
const {code, endpoint} = JSON.parse(credential.token);
// RP now knows where to send the code toWouldn't that work?
Something I'm pondering is that the I guess, what I'm trying to get to, is that maybe we need something like w3c-fedid/custom-requests#2 , but passing arbitrary data from the |
|
The token endpoint is definitely OAuth-specific. In my implementation I'm using a server backend, but if the OAuth client was in the browser, as with a full SPA, then the browser would need the token endpoint.
I wouldn't want to return the endpoint directly, because that means my server has an endpoint that will accept an arbitrary string and a URL and POST the string to the URL, without being able to confirm that the URL is actually an OAuth token endpoint. So I like the added step of doing some discovery to find the token endpoint so that I know I'm at least about to post it to an OAuth server and not something else. But you're right, I could return the OAuth server metadata URL in this response and that would be sufficient for both SPA and server apps. |
|
Update: ok that worked fine. I don't love the Closing this in favor of #578. |
As I've been working on profiling this for OAuth/OIDC, in particular with IdP registration (#240), I encountered the need to include the OAuth token endpoint in the IdP config.
The flow is as follows:
configURL: anyThe nice thing about doing it this way is it means we don't need to use a signed format for the token in the response from the FedCM API, since the RP never actually has to parse that value. It also means the JS code in the RP can send this value to its server, and the actual user data is transferred server-to-server, so it can be used with less validation too.
However, the problem arises in IdP registration mode, where the RP is not preconfigured with the IdP's information. The FedCM API returns the IdP's configURL in the response at the same time that it returns the authorization code, which is the first time the RP knows anything about which IdP was used. So we need to be able to go from the FedCM configURL to the token endpoint.
My solution was to extend my IdP config to include the IdP's token endpoint with a new parameter
token_endpoint. An alternative would be to rely on the OAuth Server Metadata spec, which uses a.well-knownpath for the OAuth server metadata, however that still leaves the missing piece of going from the FedCM configURL to the OAuth issuer URL which is used for discovery, so I don't think that actually solves anything. Plus then you're more limited in use cases because of the.well-knownrequirement. So I like the simpler solution of including the token endpoint in the config.The text was updated successfully, but these errors were encountered: