New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add token_prefixes #2845
Comments
Thank you for the idea! Please note that this will only work for opaque tokens, so when not using the JWT strategy. It will also not work for ID tokens! But for refresh and access tokens this could work :) |
aeneasr
added a commit
to ory/fosite
that referenced
this issue
Jun 17, 2022
6 tasks
aeneasr
added a commit
to ory/fosite
that referenced
this issue
Jun 17, 2022
aeneasr
added a commit
to ory/fosite
that referenced
this issue
Jun 17, 2022
aeneasr
added a commit
that referenced
this issue
Jun 17, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Closes #2845
aeneasr
added a commit
that referenced
this issue
Jun 17, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
done in v2 |
aeneasr
added a commit
that referenced
this issue
Jun 23, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Jun 23, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Jun 23, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Jun 23, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Jun 27, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
grantzvolsky
pushed a commit
that referenced
this issue
Aug 1, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Aug 1, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Aug 18, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Sep 5, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
aeneasr
added a commit
that referenced
this issue
Sep 7, 2022
This patch adds token prefixes to access tokens (`ory_at_`), refresh tokens (`ory_rt_`), and authorize codes (`ory_ac_`). Token prefixes are useful when scanning for secrets in e.g. git repositories. Token prefixes are only issued for non-JWTs. Closes #2845
Will token prefixes become configurable like OP suggests? |
no! |
6 tasks
What is the reason for not making these configurable except for everybody knowing ory hydra is used? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight checklist
Describe your problem
Hello there!
This is a feature request to enable adding prefixes to tokens that ory hydra generates, in order to distinguish the token type without having to call the introspection endpoint, and to keep access tokens opaque.
https://github.blog/2021-04-05-behind-githubs-new-authentication-token-formats/
https://api.slack.com/authentication/token-types
https://stripe.com/docs/api/authentication
Describe your ideal solution
An option in the configuration to specify the prefixes for each token type
Workarounds or alternatives
None that I could find, apart from modifying the source code
Version
Latest
Additional Context
The reason for this feature request is because we will need to generate other types of tokens than OAuth tokens. Our policy enforcement endpoint would need to verify the inbound request token.
For example, given these token types
oa:
(oauth token issued by hydra)or:
(oauth refresh token issued by hydra)oi:
(oauth id token issued by hydra)pat:
(personal access token issued by my-pac-service)mt:
(machine token issued by my-admin-service)The policy enforcement endpoint would need to distinguish which service to call for the token introspection.
If the tokens were prefixed, it would be very easy to call the appropriate service to verify the token. That could even be done eg. Envoy ext_authz, with a route matcher.
Sample logic
The text was updated successfully, but these errors were encountered: