-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Returning Valid token_type in Introspection Response #486
Conversation
cc @aeneasr |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this PR! I looked a bit into Mac-based HTTP based authentication and could not find anything related to OAuth2 except for this draft which expired 2014 while HTTP Bearer token is an accepted standard.
I think it's therefore safe to assume that fosite always returns a bearer token, which is great, because then we do not have to break backwards compatibility any more! So all we have to do is update the introspection writer!
I just realized that the request parameters have a token_type_hint parameter which can be access_token or refresh_token (see also RFC7009) but then return token_type in a completely different context (related to the HTTP auth mechanism). Classic OAuth2 ...
Co-authored-by: hackerman <[email protected]>
This reverts commit b218baa
fix: returning valid token_type in introspection response ory/hydra#1762
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome, thank you for your contribution! This looks pretty good but I have some ideas how to improve it further :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome 🎉
Thank you for your contribution!
Related issue
ory/hydra#1762
Proposed changes
Added fix to return
bearer
ormac
intoken_type
of introspection response based on the type of the token being introspectedIf the token type is
access_token
it returnsbearer
always asmac
is not supported now.Added extra attribute
token_use
to return the token typeaccess_token
orrefresh_token
.Checklist
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
Further comments