Currently Thing Descriptions claim that WebThings Gateway implements the OAuth2SecurityScheme. However, I've noticed that this is not fully implemented in the way that third party services might expect.
For example it should be possible to:
[ ] Authenticate arbitrary web services with the gateway, by prompting a user for their username and password (see #340)
[ ] Issue both API access tokens with an expiry date (see #133), and refresh tokens (see #339)
[ ] Support more granular permissions (see #1678)
[ ] Revoke refresh tokens
[ ] Support security bootstrapping (respond with the correct 302 or 303 response which redirects to the authentication endpoint, rather than 401)
There are also some strange implementation details in the way JWTs are used, like kid headers being used to identify individual JWTs, instead of a jti in the JWT payload.
The current implementation provided by the gateway is more like the simpler BearerSecurityScheme.
Currently Thing Descriptions claim that WebThings Gateway implements the
OAuth2SecurityScheme. However, I've noticed that this is not fully implemented in the way that third party services might expect.For example it should be possible to:
302or303response which redirects to the authentication endpoint, rather than401)There are also some strange implementation details in the way JWTs are used, like
kidheaders being used to identify individual JWTs, instead of ajtiin the JWT payload.The current implementation provided by the gateway is more like the simpler
BearerSecurityScheme.