search

MobilityData / gbfs-validator

The canonical GBFS validator. Maintained by the GBFS community, facilitated by MobilityData.
https://gbfs-validator.mobilitydata.org/
Apache License 2.0
18 stars 12 forks source link

Support Oauth 2.0 client credentials grant flow #40

Closed testower closed 3 years ago

testower commented 3 years ago

It is common to use Bearer token authentication with the Oauth 2.0 client credentials grant flow to grant the token itself. The flow uses basic auth against a token endpoint to retreive the bearer token. We have several feed providers who use this method. I think it is standard enough to warrant support in the core validator.

I'd be happy to contribute to getting the change in, if it is agreed that it should be supported.

PierrickP commented 3 years ago

Hello @testower This is probably a nice update !

Can you make a PR ? Are you a GBFS producer or consumer ? I'm not sure to have this kind on feed to correctly test it.

For the update, i would see a new option on auth select on website with 3 inputs (username / password / endpoint ?) Then something here https://github.com/MobilityData/gbfs-validator/blob/596378a8f12a013a855446147888617395caf7e9/gbfs-validator/gbfs.js#L61-L81 to get the access token

testower commented 3 years ago

From the point of view of this request I'm a consumer. Yes I'd be happy to make a PR on this.

Yes I think 3 options as you mention makes sense.

However, retrieving the access token in the constructor is a tricky affair since it needs to be an async operation, and constructors can't be async (?). So I think it maybe be better to do it lazily on the first actual request and then save the token for the subsequent requests.

Let me know if that makes sense.

testower commented 3 years ago

I need to correct myself: While it is technically possible to make the constructor async / return a promise, it is a bit unorthodox and would possibly feel strange in this case, unless you actually need to use this particular feature.

PierrickP commented 3 years ago

Hello, sorry for the late reply. I agree for the async constructor, it's a bad idea. At first, i thinking of making the auth roundtrip on the frontend and return the access token to the back. Or you can add an async function on the validation function https://github.com/MobilityData/gbfs-validator/blob/master/gbfs-validator/gbfs.js#L262 . Others functions are not write to be called outside of the class.

testower commented 3 years ago

Yeah I think on the validation function is the better option. I'll have a PR ready today hopefully 👍