phavekes
commented
3 weeks ago This seems like a good first implementation to validate that this is what we seek. It seems that not too much information has to be stored in the database, but yet maximum transparency for the enduser. In the longer term, and when we are going to use this in production, I\'d like to be able to use OAuth2 to secure the API in stead of HTTP basic auth, since the API is connected to the public internet. But for now, this is fine.
One thing is not yet working as expected. I\'m unable to delete multiple tokens at once: I get this error: http 204 Warning: You can only select one HTTP request! request:
url -u eduid:secret -H "Content-type: application/json" -X PUT -d \'[{"id":"5f758410171a69543a5a4bfe","tokenType":"REFRESH"},{"id":"5f758410171a69543a5a4bfd","tokenType":"ACCESS"}]\' https://connect.test2.surfconext.nl/tokens -I (Bart Geesink - Oct 1, 2020)
This issue is imported from pivotal - Originaly created at Jun 18, 2020 by Okke Harsta
A new API secured by basic authentication (multiple users) and behind a feature toggle to retrieve the following information from access_tokens and refresh_tokens:
The endpoint will fetch all the tokens based on the unspecified URN of the user. The API will also allow for deletion of the token(s). The unspecified URN will be stored with a SHA-512 hash with salt in the tokens.
The input parameters for the GET fetchTokens is the URL encoded unspecifiedID and the parameters for the deleteTokens are in the PUT request body containing the identifiers of the tokens to delete and the type of tokenL [{"id":"1212", "type":"ACCESS"},{"id":"9999", "type":"REFRESH"}].
See for examples: https://github.com/OpenConext/OpenConext-oidcng#topenapi