Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support token validation from a Resource Server perspective #219

Closed
BrendanBall opened this issue Jan 6, 2022 · 4 comments
Closed

Support token validation from a Resource Server perspective #219

BrendanBall opened this issue Jan 6, 2022 · 4 comments
Assignees
@maennchen
Labels
enhancement
Milestone
v3.0.0

Comments

@BrendanBall
Copy link

Hi

I'm not sure if this is out of scope for this library, but I'm looking to secure a resource server based on OIDC access tokens.
From looking at the docs, I don't think this library currently supports this.
In particular, I'm looking to do offline validation, and since the public key should be retrieved based on the Identity Provider's configuration available at <IdP base url>/.well-known/openid-configuration which is based on the OIDC discovery spec, I think it makes sense to add this functionality to this library. Or maybe there should be a dedicated library for resource servers since the functionality they need is much less.

What are your thoughts?
@maennchen
Copy link
Member

@BrendanBall I definitely agree with this. I thought that I already did that in a project, but seem to have used other libraries.

A PR would be very welcome :)

@BrendanBall
Copy link
Author

BrendanBall commented Jan 6, 2022
edited
Loading

I'm more familiar with Elixir than Erlang, but I'll see what I can do.
Slightly off topic, are there any docs for oidcc v2? I just see an alpha release, but this repo doesn't have a changelog.
I'd like to know what the major changes are.
I've currently been using v1.8 since it's stable, and since I don't know when v2 will be stable, I'll probably want to start with adding this functionality to v1 so I can start using it asap.

EDIT: I see the v2 is just about the http client, so no changes in the library api

@maennchen
Copy link
Member

@BrendanBall I'm also not super familiar with Erlang itself. You can just give it a try and I'll be happy to assist.

I bumped to v2 because of the HTTP client and the changed dependencies for TLS certs.

You should be able to use the new major release with almost no changes.

I was also planning to do further cleanups and improvements. (Also re-certify the lib) This is however quite a lot of work and I'll bring that up for some funding in the ERLEF Security WG Meeting.

@maennchen maennchen self-assigned this Sep 11, 2023
@maennchen
Copy link
Member

Solved in #220

See:

@maennchen maennchen added this to the v3.0.0 milestone Sep 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maennchen maennchen

Labels
enhancement
Projects
None yet
Milestone
v3.0.0
Development

No branches or pull requests
2 participants
@maennchen @BrendanBall