Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
Jonathan Huot
@JonathanHuot
Hi @pauldekkers_gitlab : so basically you have a client using redirect_uri as "foo://bar.com:42/" ? or "foo://localhost:42/"
Paul Dekkers
@pauldekkers_gitlab
Correct! Clients that use "bundle.id:/" even as syntax but also "http://127.0.0.1:{port}/{path}" as described in RFC8252 - and the latter is causing me headache ;-) because the former I can make to work in DOT (even though it doesn't go natural), and because of the latter I tried to use oauthlib directly. (And since our list of clients is simple, I didn't think it would be too hard.)
Paul Dekkers
@pauldekkers_gitlab
(So, in part correct - the scheme for RFC8252 is always http, not foo. But I have foo clients too, yet they don't use a port.)
Paul Dekkers
@pauldekkers_gitlab
There is another problem BTW with is_absolute_uri() from oauthlib, it does not take IPv6 addresses into account, so it doesn't accept http://[::1]:{port}/{path} even if I'd work around that in django-oauth-toolkit
Paul Dekkers
@pauldekkers_gitlab
That's funny, IP_literal should actually take it into account
Paul Dekkers
@pauldekkers_gitlab
IPv6 but not loopback actually, because IPv6address doesn't match for loopback addresses
Paul Dekkers
@pauldekkers_gitlab
That IPv6address regexp at https://github.com/oauthlib/oauthlib/blob/master/oauthlib/uri_validate.py#L83 is quite bad actually. Lots of valid IPv6 addresses that it won't match, and ::1 is just one of them. It's almost better to just use socket to test for a valid address, some other library, or with a regexp something like r'([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+'
Paul Dekkers
@pauldekkers_gitlab
For the django-oauth-toolkit I created jazzband/django-oauth-toolkit#953 to work around this; it kind of works when swapping too. The oauthlib/url_validate I'm not so sure how to work around nicely. (And it looks like there's no way from django-oauth-toolkit not to use the is_absolute_uri.)
Paul Dekkers
@pauldekkers_gitlab
Ok, well, I think that regexp that I wrote around 19:08 should be enough really, I filed a PR with that in oauthlib/oauthlib#753
Jonathan Huot
@JonathanHuot
while we're discussing around IP and such, nice article http://varnish-cache.org/docs/trunk/phk/ip_address.html (not 100% related this, but more to conversion from IP string into actual connection)
I think some unit tests will be needed in the PR to understand what we're trying to validate
Paul Dekkers
@pauldekkers_gitlab
I noticed the reply on my PRs for unit tests - but there no existing unit tests at all for these functions, so I'm not sure how to approach this
I can make some tests of course, and cover some tests - which is more than nothing, I just wasn't sure it's best to combine this at the same time
Jonathan Huot
@JonathanHuot
I think simple unit tests for this function is ok.. we probably care about not having regression (so adding normal test-cases) and adds your ipv6 localhost use-case
testing the regex in isolation is maybe not worth it, that would be better to add unit tests in the caller function instead
Paul Dekkers
@pauldekkers_gitlab
Yes. So, that's for the two PRs to DOT and oauthlib I guess, but I still wonder why I can't get the simple oauthlib examples to work in Django ;-) that example on oauth2/server.html does not seem to work well, or is missing something trivial?
Jonathan Huot
@JonathanHuot
Hi @pauldekkers_gitlab , to be honest, I have never used Django. I'm more focus in the bottle oauth provider implementation. Also, the Django examples have been there for long time, they might be slightly outdated; any inputs @thedrow ?
1 reply
Foad Ardalan
@techla
Hi all
I'm trying to figure out how to manage sessions with Autorization Code Flow with PKCE
And my question is: How can we handle sessions if all the tokens should stay on the server with this flow ?
does the agent (browser) should see the access_token / id_token ?
Foad Ardalan
@techla
I have another question
should we request an access token each time we make an endpoint call ?
Jonathan Huot
@JonathanHuot
Hi @techla , it is important to understand the oauth actors and your actors. can you try to explain what is yours? who is your oauth client and what type ? where is located your resource server/ api? etc.
Foad Ardalan
@techla
@JonathanHuot thanks for your reply !! :) I spend the two past days to understand oauth and openId connect. I think I got It right at 80%. I made an SSR/Gql app based on NextJs/Appolo and try to introduce an OpenId authentication layer for authentication
since 2019, the recommanded way for OpenId is the Autorization Code Flow (base on the OAuth Autorization Grant with a little id_token twist) + PKCE
I found an openId-client library that cares of the oidc protocole part for us (redirections etc...) and provide a higher level API of user management
Even if I read a lot about Oidc, I still have some questions
Foad Ardalan
@techla
1 - On the OIDC Autorization Code Flow with Private Client, the access_token and id_token are transmitted to the nodeJs server (in my case). Then, should I forward them to the browser ? If so, why don't manage every thing from the browser with the Autorization Code Flow with a Public Client + PKCE ? If leaking the tokens to the browser are security issues, I need to make use of sessions that make my server statefull. How can I deal properly with that ? what are the best practices ?
Foad Ardalan
@techla
2 - can we deal with refresh token on On the OIDC Autorization Code Flow with Public Client without storing it on the browser ?
3 - how can we deal with refresh token on On the OIDC Autorization Code Flow with Private Client without managing sessions ?
Last but not least
=====> 4 - should I ask for a new access_tokent each time I want to make an API call ?
@JonathanHuot ?
Jonathan Huot
@JonathanHuot
first, you have to understand the API and see if it is callable from browser (check origin/cross origin) ? some are restricted and you have to call from backend
in both cases, you have to either store locally in browser the access token (got with pkce), or associate tokens with a session generated in your backend
Foad Ardalan
@techla
thank you for your response @JonathanHuot
I found some libs that handle a token renew mechanism on the fontend based on iframe called silent renew
I wonder if such trick can be done in the "native" world
Jonathan Huot
@JonathanHuot
ideally on a pure security point of view, refreshing tokens on a public client is better if you can set refresh token rotation enabled (only used one-time). however,except if you implement this yourself, you have very few providers supporting this.
also pkce for native apps is more than recommended
Paul Dekkers
@pauldekkers_gitlab
About native apps ;-) I'm curious what you @JonathanHuot think about oauthlib/oauthlib#753 because I think that will help native Apps with loopback addresses (I know a few that expect the [::1] address to work, that's why I stumbled upon this).
Andrew Bastien
@volundmush
hey people. I'm working on a kinda weird project and am learning about authentication, a topic that I've never really dealt with before beyond very basic and crude stuff - as in, where the connection itself was proof of identity after entering credentials, and if that TCP connection was broken then it would have to login again.
my project is currently built around WAMP (Web Application Messaging Protocol). But I keep hearing people yammering about how I should use oauth2 and etc... I need to figure out what the story is and how I could integrate this.
though it looks like this is web-specific which isn't necessarily immediately useful to me, hrm
Perzan
@Perzan
Is there such thing as a library that can automatically handle a login with OAuth?
Something like this: https://paste.md-5.net/reqoxakehu.coffeescript
Merilyn Chesler
@mchesler613
@JonathanHuot A heads up that I wrote an article about using OAuthlib and requests to implement OAuth2 flow for a Django app. You can read about it here, https://python.plainenglish.io/integrating-oauth2-in-django-with-github-and-oauthlib-341dd0069c2d?sk=ae9055be50f0a7273e0de9e8ad604085. Thank you for your framework. I have learned so much!!
Andy Du
@freeAndyDu_twitter
Hello, Anybody can tell me why flask-oauthlib author write "You SHOULD use https://github.com/lepture/authlib instead." on flask-oauthlib Notice panel?
Jonathan Vanasco
@jvanasco
@freeAndyDu_twitter both projects are maintained by the same person, and they monetized authlib.
Jonathan Huot
@JonathanHuot
@volundmush , you have to know that oauth2/oidc is a browser-based delegation protocol. You delegate the authentication to another party. It is very useful if you don't want to bother with login page and password, you delegate the authN with browser redirections. I don't know about WAMP, can you explain more maybe?
@Perzan : can you be more explicit ? your link seems to describe a normal oidc flow
Jonathan Huot
@JonathanHuot
Hi @mchesler613 , nice write-up! Really! To give some feedback, oauthlib is using state_generator based on random chars & secrets library too, so you can use it directly instead of using secrets library on Django implementation. However, I prefer your approach of using token_urlsafe instead of the current oauthlib's rand.choice(UNICODE_ASCII)! Any PR in oauthlib will be great to change it :)