coupergateway / couper

Couper is a lightweight API gateway designed to support developers in building and operating API-driven Web projects
https://couper.io
MIT License
85 stars 15 forks source link

JWT: `bearer = true` indicating bearer token source #720

Closed johakoch closed 1 year ago

johakoch commented 1 year ago
jwt {
  # obtaining token from "Authorization: Bearer ..." request header
  # explicit notation for strange special treatment with header = "Authorization"
  bearer = true
}
filex commented 1 year ago

We could even make this the default token source.

johakoch commented 1 year ago

RFC6750 section 2 has three methods for extracting a bearer token:

Should bearer = true implement one of the optional methods, too? IMO, we should not implement the query parameter (it's intentionally not part of the current OAuth2.1 draft). But we could implement the form body parameter.

filex commented 1 year ago

Form Body would be x-www-form-urlencoded? I would not implement that as part of bearer=true. I‘d find it surprising as a user, because the authorization header is so much more common.

In the rare case of Form body, users can still use token_value. (Same for query).


Von: Johannes Koch @.> Gesendet: Tuesday, February 21, 2023 10:10:58 PM An: avenga/couper @.> Cc: Felix Hassert @.>; Comment @.> Betreff: Re: [avenga/couper] JWT: bearer = true indicating bearer token source (Issue #720)

RFC6750 section 2https://www.rfc-editor.org/rfc/rfc6750#section-2 has three methods for extracting a bearer token:

Should bearer = true implement one of the optional methods, too? IMO, we should not implement the query parameter (it's intentionally not part of the current OAuth2.1 draft). But we could implement the form body parameter.

— Reply to this email directly, view it on GitHubhttps://github.com/avenga/couper/issues/720#issuecomment-1439098517, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAD3OQVDAGQNDFYA7NCHJVTWYUVOFANCNFSM6AAAAAAU6KBTTM. You are receiving this because you commented.Message ID: @.***>

johakoch commented 1 year ago

Form Body would be x-www-form-urlencoded?

Yes

I would not implement that as part of bearer=true. I‘d find it surprising as a user, because the authorization header is so much more common.

We can add that later, if there is need.

In the rare case of Form body, users can still use token_value. (Same for query).

If that is the only supported source, yes. As implemented and documented, token sources are currently mutually exclusive.

johakoch commented 1 year ago

VSCode issue: https://github.com/avenga/couper-vscode/issues/127