Comments (3)
I've implemented the first and the last in #3. However, I note that RFC 6750 specifically talks about some header manipulations that SHOULD be performed in the case of query string parameters. That isn't currently done by this middleware but we should probably consider adding it. The main issue here is "leaking" tokens via caching.
I don't see anywhere that it says anything about header manipulation when using Query String params. Where did you read about that?
I was reading RFC 6750. In researching #2, I wanted to look at the formal specification for how OAuth tokens should be handled. It mentions three schemes: Authorization header, form fields and query string parameters.
Almost nobody is using the Form Fields for authentication. Mostly all do Request Parameter or Header, so I think we're OK with those 2 at first :). What do you think?
Although RFC 6750 is for OAuth, I think almost all of the practical details (especially around security) apply for JWTs as well.
I agree that using the OAuth spec makes sense :)
from go-jwt-middleware.
The issue is with caching headers:
Clients using the URI Query Parameter method SHOULD also send a Cache-Control header containing the "no-store" option. Server success (2XX status) responses to these requests SHOULD contain a Cache-Control header with the "private" option.
I'm not worried about the form field stuff because, with the new approach, someone could implement that pretty easily. We don't need to implement everything. We just need to implement the hooks to allow everything.
from go-jwt-middleware.
Agreed on the second one.
I don't think the cache-control will be a problem by the way.
Thanks for the PR. Closing this one then !
from go-jwt-middleware.
Related Issues (20)
- provide a gin gonic example HOT 2
- Missing cookie causes CookieTokenExtractor to return error HOT 7
- Custom `ValidateWithLeeway` in #176 Introduced Breaking Changes to Token Validation HOT 3
- Allow middleware to be used in a gRPC environment HOT 7
- Cannot import internal oidc package HOT 1
- An error occured while validating JWT: jwt invalid: error getting the keys from the key func: could not get well known endpoints from url https:///.well-known/openid-configuration: Get "https:///.well-known/openid-configuration": http: no Host in request URL HOT 3
- Improve performance of JWKS Caching Provider HOT 4
- Support validate multiple issuers HOT 1
- Example for IRIS Framework
- Allow custom http Client to be used by the JWKS Provider HOT 2
- issue with token validator HOT 4
- Audience Check Should Not Be Mandatory HOT 4
- v2.1.0 Diversions from JOSE By validating audiences when none expected HOT 4
- validationKeyGetter - can not use dgrijalva as form3tech-oss Keyfunc value in struct literal HOT 1
- issue with token validator
- go-jose v2 is deprecated, should be upgraded to v3 HOT 2
- Examples do not work. jwtmiddleware missing in v2.2.0 HOT 2
- Support for Gin HOT 2
- newVerifier() function - verificationKey type
- Upgrade `go-jose` from v2 to v4 HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from go-jwt-middleware.