Closed rethab closed 4 years ago
It should be possible to not require it in rocket_oauth2
; the spec and some providers allow for alternative registration of the redirect URI.
But I'm not sure it would actually help you: the way this library is currently structured, a token exchange can only happen in response to the callback handler (the destination of the redirect_uri
). Can you explain your workflow in more detail?
The thing is that I'm only using the token exchange part of this library. Arguably, using this library is not really worth it in my case.
What happens in its entirety:
In other words, I only use your library for these two lines:
let hyper = HyperSyncRustlsAdapter {};
let access_token = hyper.exchange_code(&self.oauth_config, TokenRequest::AuthorizationCode(code.0))
Github POSTs to the backend (note that until now, the backend was not involved at all)
I'm unfamiliar with this step. GitHub claims to only support the Authorization Code Grant for OAuth2 apps, and under the Authorization Code Grant the code
is always transferred via a client-side redirect to the redirect URI. I also don't see anything in RFC 6749 about an authorization server making a POST request to the application server.
let hyper = HyperSyncRustlsAdapter {}; let access_token = hyper.exchange_code(&self.oauth_config, TokenRequest::AuthorizationCode(code.0))
Ah, I stand corrected - I had forgotten this was possible in the public API.
I'm sorry, when I said "Github POSTs to the backend" I meant to say: "My JS app POSTs to the backend". So my JS app gets the code
from Github and after that, my JS app POSTs that code to the backend. The backend then does the token exchange.
In any case, I understand the surface area with your library is quite small and it might actually be easier for me to just implement the token exchange manually.
Okay, I think we are on the same page. It makes sense in isolation to make redirect_uri
optional anyway, but I also agree that this library may do more than you personally need.
This functionality has been implemented in 0.3.0-rc.1
: redirect_uri
is an Option
in the API, and a missing value in Rocket.toml
is treated as None
.
Hi, as far as I can see the
redirect_uri
seems to be required in any case: https://github.com/jebrosen/rocket_oauth2/blob/master/src/config.rs#L13Now in the scenario I'm using this library, which is only the token exchange, in a server-to-server scenario, providing the redirect_uri is not required (also see github's docs: https://developer.github.com/apps/building-oauth-apps/authorizing-oauth-apps/#parameters-1).
It would be nice if this library allowed me to omit this parameter.