-
Notifications
You must be signed in to change notification settings - Fork 245
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add resource parameter to the OAuth2 token request to follow RFC-8707 #4680
base: main
Are you sure you want to change the base?
Conversation
666c01b
to
ba8e39e
Compare
ba8e39e
to
223dfd1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PRs need to be accompanied by tests. Please create unit tests that cover the changes.
223dfd1
to
0f2ebea
Compare
I've updated tests to validate the new parameter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can change existing behavior in some cases. If the resource is not set as a param, it should not be set on the client OAuth request.
Also, this should be an opt-in configuration parameter that is off by default (please document with @Setting
). This behavior also needs to be tested.
I was thinking that the resource will always be set because there is always a counterPartyAddress right? Connector validates the audience of the access token when receiving request. If no resource is set, the audience will not match. But I can definitely make a configurable option to enable this on demands for people that don't care about that. I will rework my PR. |
Yes, please do to preserve the existing behavior. |
0f2ebea
to
5788b8a
Compare
I've had a test in the Daps extension that highlight the current situation. It is called Rfc8707IntegrationTest. With this PR, if we have the DAPS extension that tells the IDP to set a specific audience and we also enabled the new resource parameter feature, the audience will have the value sent via the resource parameter. What behavior do you expect for this ? :
|
5788b8a
to
3d792dc
Compare
3d792dc
to
da6978f
Compare
What this PR changes/adds
This PR makes the OAuth2 implementation ask for a token with a resource from param to follow the RFC-8707.
Why it does that
This allows an IDP to set the correct
aud
claim in the access token given to the connector.Further notes
Linked Issue(s)
Closes #4668