lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.55k stars 452 forks source link

Use Cookies in Resource Protector #493

Closed elmanm closed 2 years ago

elmanm commented 2 years ago

Is your feature request related to a problem? Please describe.

There does not seem to be a way to use the ResourceProtector with the web application flow (login + redirect) because it uses the Authorization header.

Describe the solution you'd like I would like to be able to use a ResourceProtector to decorate views that are authed using a web app flow. Ideally the ResourceProtector would look in the request cookies as well as the Authorization header.

(possibly with extra validators to be registered as needed)

Describe alternatives you've considered Subclassing the ResourceProtector to get the Cookie if the Authorization header is missing.

Additional context

lepture commented 2 years ago

I don't quite understand your question. The OAuth spec has no definition for handling the cookies. I think you've already known your answers, you can always subclass ResourceProtector to define your own way of authentication.

elmanm commented 2 years ago

I see, but I don't see how to use the resource protector with the login web application flow. The provider returns the token that the client should then store, but the resource protector always looks in the headers? Do I need to subclass the resource protector for this flow to work?