-
Notifications
You must be signed in to change notification settings - Fork 244
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add resource parameter to the OAuth2 token request to follow RFC-8707 #4680
Conversation
666c01b
to
ba8e39e
Compare
ba8e39e
to
223dfd1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
PRs need to be accompanied by tests. Please create unit tests that cover the changes.
223dfd1
to
0f2ebea
Compare
I've updated tests to validate the new parameter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This can change existing behavior in some cases. If the resource is not set as a param, it should not be set on the client OAuth request.
Also, this should be an opt-in configuration parameter that is off by default (please document with @Setting
). This behavior also needs to be tested.
I was thinking that the resource will always be set because there is always a counterPartyAddress right? Connector validates the audience of the access token when receiving request. If no resource is set, the audience will not match. But I can definitely make a configurable option to enable this on demands for people that don't care about that. I will rework my PR. |
Yes, please do to preserve the existing behavior. |
0f2ebea
to
5788b8a
Compare
I've had a test in the Daps extension that highlight the current situation. It is called Rfc8707IntegrationTest. With this PR, if we have the DAPS extension that tells the IDP to set a specific audience and we also enabled the new resource parameter feature, the audience will have the value sent via the resource parameter. What behavior do you expect for this ? :
|
3d792dc
to
da6978f
Compare
This pull request is stale because it has been open for 7 days with no activity. |
This pull request was closed because it has been inactive for 7 days since being marked as stale. |
@jimmarino Can you reopen this PR please ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments inline
...oauth2/oauth2-daps/src/test/java/org/eclipse/edc/iam/oauth2/daps/Rfc8707IntegrationTest.java
Outdated
Show resolved
Hide resolved
...oauth2/oauth2-daps/src/test/java/org/eclipse/edc/iam/oauth2/daps/Rfc8707IntegrationTest.java
Outdated
Show resolved
Hide resolved
45ae491
to
516701a
Compare
Unit test are in failure on the main branch. See #4699. Waiting for the correction. |
516701a
to
4edce0d
Compare
@jimmarino Do I need to wait for a review by the second reviewer, or it is ok for you to merge this PR ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One minor change and it will be good to merge.
.../oauth2/oauth2-core/src/main/java/org/eclipse/edc/iam/oauth2/identity/Oauth2ServiceImpl.java
Outdated
Show resolved
Hide resolved
4edce0d
to
a43b8ff
Compare
a43b8ff
to
5cb4a67
Compare
What this PR changes/adds
This PR makes the OAuth2 implementation ask for a token with a resource from param to follow the RFC-8707.
Why it does that
This allows an IDP to set the correct
aud
claim in the access token given to the connector.Further notes
Linked Issue(s)
Closes #4668