Correct! Clients that use "bundle.id:/" even as syntax but also "http://127.0.0.1:{port}/{path}" as described in RFC8252 - and the latter is causing me headache ;-) because the former I can make to work in DOT (even though it doesn't go natural), and because of the latter I tried to use oauthlib directly. (And since our list of clients is simple, I didn't think it would be too hard.)
There is another problem BTW with is_absolute_uri() from oauthlib, it does not take IPv6 addresses into account, so it doesn't accept http://[::1]:{port}/{path} even if I'd work around that in django-oauth-toolkit
That IPv6address regexp at https://github.com/oauthlib/oauthlib/blob/master/oauthlib/uri_validate.py#L83 is quite bad actually. Lots of valid IPv6 addresses that it won't match, and ::1 is just one of them. It's almost better to just use socket to test for a valid address, some other library, or with a regexp something like r'([A-Fa-f0-9:]+:+)+[A-Fa-f0-9]+'
For the django-oauth-toolkit I created jazzband/django-oauth-toolkit#953 to work around this; it kind of works when swapping too. The oauthlib/url_validate I'm not so sure how to work around nicely. (And it looks like there's no way from django-oauth-toolkit not to use the is_absolute_uri.)
Ok, well, I think that regexp that I wrote around 19:08 should be enough really, I filed a PR with that in oauthlib/oauthlib#753
while we're discussing around IP and such, nice article http://varnish-cache.org/docs/trunk/phk/ip_address.html (not 100% related this, but more to conversion from IP string into actual connection)
I think some unit tests will be needed in the PR to understand what we're trying to validate
I noticed the reply on my PRs for unit tests - but there no existing unit tests at all for these functions, so I'm not sure how to approach this
I can make some tests of course, and cover some tests - which is more than nothing, I just wasn't sure it's best to combine this at the same time
I can make some tests of course, and cover some tests - which is more than nothing, I just wasn't sure it's best to combine this at the same time
testing the regex in isolation is maybe not worth it, that would be better to add unit tests in the caller function instead
1 reply
I'm trying to figure out how to manage sessions with Autorization Code Flow with PKCE
And my question is: How can we handle sessions if all the tokens should stay on the server with this flow ?
does the agent (browser) should see the access_token / id_token ?
should we request an access token each time we make an endpoint call ?
since 2019, the recommanded way for OpenId is the Autorization Code Flow (base on the OAuth Autorization Grant with a little id_token twist) + PKCE
I found an openId-client library that cares of the oidc protocole part for us (redirections etc...) and provide a higher level API of user management
Even if I read a lot about Oidc, I still have some questions
1 - On the OIDC Autorization Code Flow with Private Client, the access_token and id_token are transmitted to the nodeJs server (in my case). Then, should I forward them to the browser ? If so, why don't manage every thing from the browser with the Autorization Code Flow with a Public Client + PKCE ? If leaking the tokens to the browser are security issues, I need to make use of sessions that make my server statefull. How can I deal properly with that ? what are the best practices ?
3 - how can we deal with refresh token on On the OIDC Autorization Code Flow with Private Client without managing sessions ?
Last but not least
=====> 4 - should I ask for a new access_tokent each time I want to make an API call ?
=====> 4 - should I ask for a new access_tokent each time I want to make an API call ?
@JonathanHuot ?
in both cases, you have to either store locally in browser the access token (got with pkce), or associate tokens with a session generated in your backend
I found some libs that handle a token renew mechanism on the fontend based on iframe called silent renew
I wonder if such trick can be done in the "native" world
also pkce for native apps is more than recommended
About native apps ;-) I'm curious what you @JonathanHuot think about oauthlib/oauthlib#753 because I think that will help native Apps with loopback addresses (I know a few that expect the [::1] address to work, that's why I stumbled upon this).
hey people. I'm working on a kinda weird project and am learning about authentication, a topic that I've never really dealt with before beyond very basic and crude stuff - as in, where the connection itself was proof of identity after entering credentials, and if that TCP connection was broken then it would have to login again.
my project is currently built around WAMP (Web Application Messaging Protocol). But I keep hearing people yammering about how I should use oauth2 and etc... I need to figure out what the story is and how I could integrate this.
though it looks like this is web-specific which isn't necessarily immediately useful to me, hrm
Is there such thing as a library that can automatically handle a login with OAuth?
Something like this: https://paste.md-5.net/reqoxakehu.coffeescript
Something like this: https://paste.md-5.net/reqoxakehu.coffeescript
@JonathanHuot A heads up that I wrote an article about using OAuthlib and requests to implement OAuth2 flow for a Django app. You can read about it here, https://python.plainenglish.io/integrating-oauth2-in-django-with-github-and-oauthlib-341dd0069c2d?sk=ae9055be50f0a7273e0de9e8ad604085. Thank you for your framework. I have learned so much!!
Hello, Anybody can tell me why flask-oauthlib author write "You SHOULD use https://github.com/lepture/authlib instead." on flask-oauthlib Notice panel?
@volundmush , you have to know that oauth2/oidc is a browser-based delegation protocol. You delegate the authentication to another party. It is very useful if you don't want to bother with login page and password, you delegate the authN with browser redirections. I don't know about WAMP, can you explain more maybe?
@Perzan : can you be more explicit ? your link seems to describe a normal oidc flow
Hi @mchesler613 , nice write-up! Really! To give some feedback, oauthlib is using state_generator based on random chars & secrets library too, so you can use it directly instead of using secrets library on Django implementation. However, I prefer your approach of using token_urlsafe instead of the current oauthlib's
rand.choice(UNICODE_ASCII)! Any PR in oauthlib will be great to change it :)