DMC/seshat
1
0
Fork 0
Code Issues2 Pull Requests Actions Packages Projects Releases Wiki Activity

Use OAuth 2.0 Token Introspection during log in #27

Merged
ansv7779 merged 2 commits from oauth2-token-instrospection-login into develop 2025-03-25 15:48:32 +01:00
Conversation 2 Commits 2 Files Changed 4 +69 -2
niat8586 commented 2025-03-25 13:00:10 +01:00
Owner

This is basically the same as

Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do.

To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server.

It may be necessary to run docker compose up --build to get the latest version of the Toker containers.

### This is basically the same as https://gitea.dsv.su.se/DMC/scipro/pulls/141 Currently, it uses an endpoint similar to OpenID Connect UserInfo but with some differences. The endpoint does not require the "openid" scope for example. There is an ongoing effort to replace the OAuth 2.0 authorization server with a more standard compliant one which would break the endpoint (since it would require the "openid" scope). It is currently not possible to request the "openid" scope to future-proof since Spring would act differently if that scope is present and assume full OpenID Connect. That leads to requiring an id token to have been issued which the current authorization server does not do. To get around this the implementation is changed to use a standard compliant Token Introspection endpoint to get access to the subject of the access token (which is the only part that's necessary right now). Since the endpoint is standard compliant it will work with any future authorization server. It may be necessary to run docker compose up --build to get the latest version of the Toker containers.
niat8586 changed title from Use OAuth 2.0 Token Introspection during log in to WIP: Use OAuth 2.0 Token Introspection during log in 2025-03-25 13:00:19 +01:00
niat8586 added 1 commit 2025-03-25 13:49:42 +01:00 
Basically the same as:
niat8586 requested review from ansv7779 2025-03-25 13:50:12 +01:00
ansv7779 added 1 commit 2025-03-25 15:46:26 +01:00
ansv7779 changed title from WIP: Use OAuth 2.0 Token Introspection during log in to Use OAuth 2.0 Token Introspection during log in 2025-03-25 15:46:34 +01:00
ansv7779 approved these changes 2025-03-25 15:47:22 +01:00
ansv7779 left a comment
Owner

Works as expected. Good find on the bug in the login handler that used the wrong username.

Works as expected. Good find on the bug in the login handler that used the wrong username.
ansv7779 merged commit f7466a57df into develop 2025-03-25 15:48:32 +01:00
niat8586 commented 2025-03-26 09:16:33 +01:00
Author
Owner

Thanks for the clean up! :)

I did the comments to check the spelling :)

Thanks for the clean up! :) I did the comments to check the spelling :)
ansv7779 deleted branch oauth2-token-instrospection-login 2025-03-26 09:47:34 +01:00
Sign in to join this conversation.
No Reviewers
ansv7779
No Label
No Milestone
No project
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: DMC/seshat#27
No description provided.
Delete Branch "oauth2-token-instrospection-login"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?