-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reference token AC #711
Labels
Comments
Works: $ git diff
diff --git a/errors/type_defintions.go b/errors/type_defintions.go
index 22685421..d5992a1e 100644
--- a/errors/type_defintions.go
+++ b/errors/type_defintions.go
@@ -11,9 +11,13 @@ var Definitions = []*Error{
AccessControl.Kind("basic_auth").Kind("basic_auth_credentials_missing").Status(http.StatusUnauthorized),
AccessControl.Kind("jwt"),
- AccessControl.Kind("jwt").Kind("jwt_token_expired"),
- AccessControl.Kind("jwt").Kind("jwt_token_invalid"),
- AccessControl.Kind("jwt").Kind("jwt_token_missing").Status(http.StatusUnauthorized),
+ AccessControl.Kind("jwt").Kind("token"),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_expired"),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_expired").Kind("token_expired"),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_invalid"),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_invalid").Kind("token_invalid"),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_missing").Status(http.StatusUnauthorized),
+ AccessControl.Kind("jwt").Kind("token").Kind("jwt_token_missing").Kind("token_missing").Status(http.StatusUnauthorized),
AccessControl.Kind("oauth2"), Throwing That way we could throw the new (token) errors, introduce new (token) error types, and deprecate the old (jwt) error types, allowing both during a transition phase. |
Reference tokens are offered by e.g.
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
E.g. for the "Use-once" tokens use-case, I'm thinking about a (non-JWT) reference token AC.
These tokens could be created (token endpoint) and stored (e.g. for a defined time) in a database by a (non-Couper) service, introspected (introspection endpoint) and revocated (revocation endpoint) by a client (Couper).
Couper acting as an OAuth2 resource server provides an access control using token introspection from #632.
The configuration could be quite similar to the
jwt
block configuration, but without the JWT-specific attributes:Quite some code could probably be reused/refactored from the JWT access control implementation.
However, there is at least one issue:
The error cases in the new access control would be very similar to the ones in the JWT access control (missing/invalid/expired). But currently the errors are called
errors.Jwt...
with their counterpartjwt
andjwt_token_...
error types. We cannot just rename existing error types (because they are part of the contract). And I'm not sure whether it is possible to derive more generictoken
andtoken_
error types from the JWT specific ones (cf. error "hierarchy").The text was updated successfully, but these errors were encountered: