-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Access token, Refresh token, OAuth2 #113
Comments
@IzioDev oauth2 depends on three factors
OAuth 2.0 protocol flow requires the client to redirect the end-user to the authorization server and once the authorization is granted the end-user is redirected back to the client with the authorization response from there the client starts sending the granted access token to the resource server, when a request is sent to the resource server, it extracts the access token and verifies it against the authorization server, anyway, according to unfortunately, GoGuardian can't handle redirect requests, don't forget the client should save refresh tokens in a secure manner, however, you can compose golang/oauth2 to obtain/refresh tokens, |
Thank you very much for this clarification. I was getting this wrong obviously. Just to make sure I well understand :
I really appreciate the time you spend on making this clarification. PS: I think we can close the issue since it was not an issue, but something I got wrongly. |
it might help to have an oauth2 strategy example in the example folders? I believe there are some free oauth2 testing servers available online you could use to demonstrate. e.g. https://www.oauth.com/playground/ |
@c-nv-s agree, this the primary reason kept this issue open, However, I'd like to know what examples you expect to see
|
I think composed client and resource server auth would cover more ground |
looking into it now. |
the code looks good, I'm still trying to test with a separate oidc provider (Authelia) to see if it works. for
just so it is clear how a user could customize it for their own provider ? Also it might be nice to include a small comment showing how someone could have accessed info from an additionally requested scope e.g. email, profile |
I can confirm it works with Authelia with the above change |
Hi,
I am currently using the
jwt
strategy for development process.This works good so far, however, I can see there is some caveats:
I think creating a new strategy like refreshTokenStrategy will resolve these issues.
There is a full specification of the OAuth2 here: https://datatracker.ietf.org/doc/html/rfc6749
Protocol Flow: https://datatracker.ietf.org/doc/html/rfc6749#section-1.2
What is a refresh token: https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
What is an access token: https://datatracker.ietf.org/doc/html/rfc6749#section-1.4
Authorization code grant: https://datatracker.ietf.org/doc/html/rfc6749#section-4.1
Resource owner Password credentials grant: https://datatracker.ietf.org/doc/html/rfc6749#section-4.3 (case we want to auth a microservice for example)
I could keep linking all the docs, but I think this isn't necessary as someone made a great OAuth server implementation here: https://github.com/go-oauth2/oauth2
My point is: could we create an oauth strategy based on the OAuth server implementation that
go-oauth2
made?The text was updated successfully, but these errors were encountered: