Closed johakoch closed 1 year ago
We could even make this the default token source.
RFC6750 section 2 has three methods for extracting a bearer token:
Authorization: Bearer ...
request header (section 2.1, RS MUST support)access_token
form body parameter (section 2.2, RS MAY support)access_token
query parameter (section 3.2, RS MAY support, SHOULD NOT be used by a client)Should bearer = true
implement one of the optional methods, too?
IMO, we should not implement the query parameter (it's intentionally not part of the current OAuth2.1 draft). But we could implement the form body parameter.
Form Body would be x-www-form-urlencoded? I would not implement that as part of bearer=true. I‘d find it surprising as a user, because the authorization header is so much more common.
In the rare case of Form body, users can still use token_value. (Same for query).
Von: Johannes Koch @.>
Gesendet: Tuesday, February 21, 2023 10:10:58 PM
An: avenga/couper @.>
Cc: Felix Hassert @.>; Comment @.>
Betreff: Re: [avenga/couper] JWT: bearer = true
indicating bearer token source (Issue #720)
RFC6750 section 2https://www.rfc-editor.org/rfc/rfc6750#section-2 has three methods for extracting a bearer token:
Should bearer = true implement one of the optional methods, too? IMO, we should not implement the query parameter (it's intentionally not part of the current OAuth2.1 draft). But we could implement the form body parameter.
— Reply to this email directly, view it on GitHubhttps://github.com/avenga/couper/issues/720#issuecomment-1439098517, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAD3OQVDAGQNDFYA7NCHJVTWYUVOFANCNFSM6AAAAAAU6KBTTM. You are receiving this because you commented.Message ID: @.***>
Form Body would be x-www-form-urlencoded?
Yes
I would not implement that as part of bearer=true. I‘d find it surprising as a user, because the authorization header is so much more common.
We can add that later, if there is need.
In the rare case of Form body, users can still use token_value. (Same for query).
If that is the only supported source, yes. As implemented and documented, token sources are currently mutually exclusive.
VSCode issue: https://github.com/avenga/couper-vscode/issues/127
cookie
,header
andtoken_value
header = "Authorization"