Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect / confusing use of the :realm option? #464

Closed
fredwu opened this issue Feb 13, 2018 · 3 comments · Fixed by #680
Closed

Incorrect / confusing use of the :realm option? #464

fredwu opened this issue Feb 13, 2018 · 3 comments · Fixed by #680
Labels
Kind:Enhancement

Comments

@fredwu
Copy link

fredwu commented Feb 13, 2018

Hi,

First of all thanks for the great work on Guardian, it's a library that many of my colleagues and myself have been benefiting from immensely. :)

We have a use case where we need to support accepting one JWT from potentially different sources (issuers). After digging around and experimenting, we've figured out we can use the :realm option to differentiate the JWTs so that the token verification works as intended.

However, we noticed that the :realm option in Guardian.Plug.VerifyHeader does not conform to any of the RFCs1:

The default value for :realm is Bearer, but according to the RFCs and IANA, Bearer is a type of HTTP authentication scheme, whereas realm (and others) are attributes.

To accept a Bearer token with a particular realm, in Guardian we have to work around it by setting it like: realm: "Bearer realm=\"example.com\"".

Ideally we should have a :scheme option that defaults to Bearer, and either a dedicated :realm option, or a more flexible :attributes option that allows any attributes.

I am in no way an expert on this topic, so please let me know if I've missed something. Thanks!

  1. RFCs I've looked into:
@scrogson
Copy link
Member

Great stuff @fredwu! I've often thought that realm was not the best name for this myself. Unfortunately, this looks like it would be a breaking change. So we might need to put this off until we're ready for 2.0.

I'll try to find some time to read through the links you've provided and talk it over with the rest of the @ueberauth/core team.

@Hanspagh
Copy link
Contributor

Hanspagh commented Oct 8, 2019

@scrogson. Where are we on this?

@yordis
Copy link
Member

yordis commented Jul 16, 2021
edited

I agree on this one, this is misleading, a better key name should be enough for now. Maybe add a new key, and announce the breaking change without having to have a breaking change today

yordis added a commit that referenced this issue Jul 17, 2021
@yordis
Add scheme option to VerifyHeader
6a77cae 
closes #464
@yordis yordis mentioned this issue Jul 17, 2021
Merged
yordis added a commit that referenced this issue Jul 17, 2021
@yordis
Add scheme option to VerifyHeader
d735ee3 
closes #464
yordis added a commit that referenced this issue Jul 17, 2021
@yordis
Add scheme option to VerifyHeader (#680)
7cabf6f 
* Add scheme option to VerifyHeader

closes #464

* Fix sentence
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Kind:Enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add scheme option to VerifyHeader ueberauth/guardian
5 participants
@fredwu @scrogson @doomspork @Hanspagh @yordis