-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature/fun 509 oauth2 token handler #132
Conversation
I'd like to know what is the real goal, what problem will it solve for us? Is it more secure? More convenient? ... Is it because we could scope the requests with The other main difference I notice from reading the code is that we'll receive back |
In the Solar test runner we've even started to use another approach (integrated with env management) where the refresh token is never exposed directly but set using an HTTPOnly cookie, to prevent leaking it. Maybe we should align on the mechanism to use. |
The code looks ok, and the unit tests are passing. I have no issue with the proposal, but yes, looking at the other comments I agree we should align on the solution. We need to apply a unified way otherwise we'll have different implementations for each consumer ;) |
During GCP migration of the scoring project, a new environment management system will be used and there will be a dedicated auth server. This server will do the auth related tasks (token creation, password check) and it will be separated from the BE server, that sends session related configurations. This auth server will use oauth2, what was a decision earlier, but manual scoring is unique, because we should support user/password login. To implement it in the oauth2 context, we have to follow the standard. This standard contains the
I also have problem with a redundant |
I agree with you, but this is not part of this task. We will modify the store later, but this task solves only the GCP migration related issues. |
@krampstudio @jsconan @oatymart Do you need any other info to approve this PR? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Code looks clean and simple. Tests are passing and cover almost everything.
- New code is covered by tests (if applicable)
- Tests are running successfully (old and new ones) on my local machine (if applicable)
- New code is respecting code style rules
- New code is respecting best practices
- Feature is working correctly on my local machine (if applicable)
- Acceptance criteria are respected
- Pull request title and description are meaningful
- Pull request's target is not
master
- Documentation is updated according to changes (if applicable)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code is ok and passes the unit tests.
In the end, we would still need to unify the APIs, but as per the discussion above, the added feature should be acceptable.
Note: tested only via unit tests.
Review Checklist
- New code is covered by tests (if applicable)
- Tests are running successfully (old and new ones) on my local machine (if applicable)
- New code is respecting code style rules
- New code is respecting best practices
- New code is not subject to concurrency issues (if applicable)
- Feature is working correctly on my local machine (if applicable) - Tested only via unit test
- Acceptance criteria are respected
- Pull request title and description are meaningful
- Pull request's target is not
master
- Commits are following conventional commits
- Commits messages are meaningful
- Commits are atomic
…uth2-token-handler
Version
There are 0 BREAKING CHANGE, 1 feature, 0 fix |
Related to https://oat-sa.atlassian.net/browse/FUN-509
Goal is to implement https://oauth2.thephpleague.com/authorization-server/refresh-token-grant/
The different between the required oauth2 request and the original OAT JWT token request is:
Request:
refresh_token
in the requestclient_id
andgrant_type
should be sent, but this is handled with the existingrefreshTokenParameters
Response:
access_token
in the responserefresh_token
expires_in
is sent in the response and this is the TTL of the access token in secondsThese differences could be handled with some conditions, so I made the decision to do not create a new token handler, but modify the existing one.
Test:
(I tested it with @peetya on his local environment, where this modification will be necessary)
Now, it is not possible to test in a working environment, because it is just a small part of big refactoring.