search

AnWeber / vscode-httpyac

Quickly and easily send REST, Soap, GraphQL, GRPC, MQTT and WebSocket requests directly within Visual Studio Code
https://marketplace.visualstudio.com/items?itemName=anweber.vscode-httpyac
MIT License
222 stars 20 forks source link

Feature Request: Token Exchange Grant Support for a particular audience in the same realm #248

Closed natalie-o-perret closed 6 months ago

natalie-o-perret commented 6 months ago

🙋‍♀️ Hello @AnWeber ,

First off, thanks for your project, it's really awesome and fits exactly our needs at work without the whole enshittification that many tools suffer in this domain.

As described in this section, there is a support for the OAuth2 Token Exchange grant, that being said, it seems it's only for the case of a different realm and not for a particular audience in the same realm as the initial access token.

I think it would be great that the token exchange auth could support a different audience in the same-or-a-different realm, wdyt?

In our case we need to do this kind of work around:

### Get Access Token
# @name getAccessToken
POST {{keycloakTokenUrl}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{sso_clientId}} {{sso_clientSecret}}
grant_type=client_credentials

### Get Exchange Token
# @name getExchangeToken
# @forceRef getAccessToken
POST {{keycloakTokenUrl}} HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Authorization: Basic {{sso_clientId}} {{sso_clientSecret}}
grant_type=urn:ietf:params:oauth:grant-type:token-exchange&audience={{sso_TargetAudience}}&subject_token={{getAccessToken.access_token}}
# @import ../api_keycloak.http

### Get Entities
# @name getEntities
# @forceRef getExchangeToken
@dateStart=2023-11-01T00:00:00
@dateStop=2023-12-02T00:00:00
@pageIndex=1
@pageSize=3
GET {{apiHost}}/api/v1/entities
    ?dateStart={{dateStart}}
    &dateStop={{dateStop}}
    &pageIndex={{pageIndex}}
    &pageSize={{pageSize}}
Authorization: Bearer {{getExchangeToken.access_token}}

Also I think it would be best if the example shows the details of the definition about auth_realm.

AnWeber commented 6 months ago

it's only for the case of a different realm and not for a particular audience in the same realm as the initial access token.

Yes, my use case for the token exchange was to change token to another realm. Do you have a suggestion on how the API should be adapted so that I can map your use case? I think it should be enough to include the audience in this request. The parameters requested_token_type and subject_token_type should also be valid for your use case, right? https://github.com/AnWeber/httpyac/blob/main/src/plugins/oauth2/flow/tokenExchangeFlow.ts#L31-L32

@natalie-o-perret I added audience and resource props to token exchange flow. Please test if your use case works.

natalie-o-perret commented 6 months ago

You're absolutely fantastic!!! Works like a charm!

Thanks a ton!