New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add token exchange ability into FusionAuth core #1943
Comments
Not sure I understand the request. In this example FusionAuth is exchanging the auth code for the access token, and if this is the case, is there still value in using the authorization code grant? |
What other grant would be a better fit? Not implicit (since that delivers the token on the URL). Not the client credentials (because that requires the client to hold the client secret, which public clients cannot to). What am I missing? |
I suppose this is possible. I'd have to think more about it. I think this effectively disables client verification (no client secret is necessary) and removes the possibility to utilize PKCE, or the We'd need to review each of these items and weigh the benefit to the end user and understand the risks as well.
This is our own application, so we perform the token exchange the same as any other application. We just happen to have this application running in the same VM. Because we are own application, we can still utilize a client secret, PKCE, and the |
If all we are doing is a cookie drop and redirect, this might be a quick way to get cookies into the SPA. The flow would look like this:
In step 5, I wonder if this would work with a cross domain cookie. We could test this out pretty easily and see how it interacts, but the Might be worth tinkering with to see if it helps with the SDKs we are writing. |
I have a prototype that works, we just need to test in a SPA, but the cookies come back correctly. Maybe @mooreds can test in the EAP build. |
Talked with @robotdan about this. Seems like a great feature, but not high priority right now. If you, dear reader, think differently, please upvote. |
New SolutionAfter internal discussion, here's the new proposed solution. New EndpointsWe will create the following endpoints
CookiesThe token exchange endpoint will drop four cookies
|
Can we close this, @lyleschemmerling ? the hosted backend doc landed here: FusionAuth/fusionauth-site#2115 |
Closing. If anyone has outstanding tasks, please complete them or move to separate issues to track to closure. |
Add token exchange ability into FusionAuth core
Problem
This came up while discussing the react SDK.
In a traditional FusionAuth installation, if you are using the recommended Authorization Code grant, one has to have both a browser, which gets the authorization code, and a server side component, which receives the authorization code from the browser and holds the client id and client secret. The server side component then exchanges the client id, client secret and authorization code for an access token (and perhaps a refresh token). Those are then sent down to the client (or browser), or held in a session in the server side component.
FusionAuth gives you flexibility on where to store the token. For a non-zero set of use cases, we recommend setting an httponly secure cookie for the access token and sending it down, but doing so requires that additional server side component to be written and hosted someplace.
Solution
Add an application feature, which must be explicitly turned on, that adds a route to the FusionAuth server called
/oauth-redirect
. Let's assume FusionAuth is hosted at auth.example.comWhen enabled, the authorized redirect url for the application would include the route
https://auth.example.com/oauth-redirect
. FusionAuth would, after an authentication, send the browser tohttps://auth.example.com/oauth-redirect
with astate
value of the clientid and the authorization code. The code inoauth-redirect
would do the token exchange and send down the access token (and refresh token, if the offline_access scope was requested. The cookie would be an httponly, secure cookie, and the cookie domains would be set to .example.com.You could also make the cookie domain configurable, as mentioned here: #1991
This would not work for everyone, but for many users would remove one more barrier to using FusionAuth.
I believe we already do this for the FusionAuth admin application (the /admin/login endpoint), so this would generalize and expose this functionality.
Documentation
Alternatives/workarounds
Fully implement the authorization code grant, write the server side code or use a library which does so.
Additional context
Came up while discussing SDK design and how Auth0's SDK works.
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
How to vote
Please give us a thumbs up or thumbs down as a reaction to help us prioritize this feature. Feel free to comment if you have a particular need or comment on how this feature should work.
Related: #1991
The text was updated successfully, but these errors were encountered: