Comments (3)
metalmatze
commented on May 29, 2024
Hey, talking about examples. Is there an example about how to secure my endpoint?
I can't find anything about extracting the Bearer and passing it on.
Thanks!
from fosite.
aeneasr
commented on May 29, 2024
Hey, securing your resource servers is out of OAuth2 scope because there are different requirements in each environment. OAuth2-related publications are dealing with external endpoints (e.g. oauth2 token intropsection) but these are most of the times not compatible with what resource servers require.
As an example: If you use JWT (which is supported in fosite), you could simply validate the tokens cryptographically without any additional call to the authorization server.
What you want to do (most of the times) is extract the bearer token from the authorization header, make a lookup in the database and return all neccessary information to your environment (subject, issuer, scopes, permissions - whatever you need).
I am currently working on a draft for such an endpoint in Hydra. I did not start developing it yet but it might be a good idea to take a look there once in a while: ory/hydra#48
from fosite.
aeneasr
commented on May 29, 2024
Is there an example about how to secure my endpoint?
Yes, with ValidateRequestAuthorization(ctx context.Context, req *http.Request, session interface{}, scope ...string) (AccessRequester, error)
from fosite.
Related Issues (20)
- Best way to replicate a refresh_token flow using Fosite. HOT 5
- RFC7523: Store the payload of the supplied JWT for later use in token hook in Hydra HOT 6
- Add custom form_post response writer HOT 1
- github.com/square/go-jose is deprecated HOT 3
- upstream reference closed: github.com/square/go-jose/issues/353 HOT 1
- RFC7523: Allow associating an audience allow list to a public key trust. HOT 1
- Auth Req omitted response_mode does not validate the default response_mode against the ResponseModeClient
- Failing to fetch a PKCE request session fails requests even when PKCE is not enforced HOT 3
- redirect_uri matching does not follow RFC3986 HOT 2
- Changelog is out of sync
- During refresh token grant if token is invalid or expired return status code should be 400 HOT 3
- Allow revoking access token without revoking refresh token HOT 2
- authorize_helper.isLoopbackAddress has flaws HOT 1
- clientCredentialsFromRequest should not expect Basic Authorization terms being URL Escaped HOT 2
- Refresh token flow handler does not set the original request ID in the handler early enough
- use mattn/go-sqlite3 v2.0.3+incompatible no the new version HOT 6
- Failed to decode `id_token_hint` when using different signer for `id_token` and others
- `iat` field in access token (JWT) issued as part of `refresh_token` grant. HOT 8
- Concurrent requests for token endpoint on auth-code flow with same code succeed. HOT 7
- Can not run the example code
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fosite.