search

AKlaus / Transparent-Auth-Gateway

Implementations of a "transparent" Auth Gateway that links a third-party Identity Provider with own authorisation rules (scopes, roles, etc.)
https://alex-klaus.com/transparent-auth-gateway-1
MIT License
18 stars 3 forks source link

Shorting the returned code in the Authorisation Code with PKCE implementation #1

Closed AKlaus closed 1 year ago

AKlaus commented 1 year ago

CONTEXT: the Authorisation Code with PKCE (RFC 7636) implementation with no authorization storage (e.g. for the Degraded mode) and hence no reference tokens in use.

PROBLEM The server returns the Code (encrypted by default) wrapped in a signed JWT by calling link to GenerateIdentityModelToken.ValueTask() method: context.Token = context.SecurityTokenHandler.CreateToken(descriptor). This (especially the signature) blows out the size of the generated code string (becomes > 2,048 symbols) that gets returned in the Query String.

TL;DR: Due to the heavy size of the token, in its turn, the client's request may hit limitations on the Query String and/or URL length.

GOAL: Keep the generated code string well under 2,048 symbols. e.g. code=lBm8NqlNa0qKalXTRc7cYA&state=V2VkIEp1bCAyNiAyMDIzIDE4OjE3OjMzIEdNVCsxMDAwIChBdXN0cmFsaWFuIEVhc3Rlcm4gU3RhbmRhcmQgVGltZSk%3D&iss=https%3A%2F%2Flocalhost%3A5003%2F

AKlaus commented 1 year ago

Cross-link: openiddict/openiddict-core/issues/1843