Closed michelerenzullo closed 5 months ago
charIeszhao
commented
6 months ago Interesting. Will definitely bring this to the team and have it discussed.
Another alternative approach is maybe we can contribute a PR to the flutter_appauth and make it support resource param. So you don't have to config it through the additionalParameters.
michelerenzullo
commented
6 months ago I asked today but seems that the author doesn't want because flutter_appauth is an abstraction, a wrapper, of Auth0, so is suggesting that the change shall be in Auth0... Link here
I had a fast look and I didn't find a doable way in flutter_appauth because is bringing everything to the lower level calling platform methods of Auth0 binary (java/swift), therefore the patch shall be done there. What I read on forums, auth0 refuses to implemente this feature for security reasons or logic, they call it "multiple audiences(resources)" "array of audiences". I just want to append some &resource ... Lmao
michelerenzullo
commented
6 months ago Looks to me a lot like the organisations scopes logic, is kinda the same process under the hood I guess?
Resources --> Organisations
Roles --> Organisation_roles
adding just 1 resource=urn:logto:resource:organizations in the authorisation code request is equivalent to pass many &resource...
retrieve the token for the specific resource scoped authorisation code: is done with organization_id: <id_of_test.com_org> rather than indicating a specific resource: test.com
charIeszhao
commented
6 months ago Thanks for the additional information. The team will have it discussed this week, and I'll post you the updates in this ticket
charIeszhao
commented
6 months ago Hey, quick question, what if you pass the resources as an array through the additionalParameters? E.g.
additionalParameters: {
resource: ['foo', 'bar']
}Would it parse it into something like resource=foo%2cbar? (%2c is comma encrypted)
renzullomichele
commented
6 months ago additionalParameters: {
'resource': 'https://api1.com/,https://ap2.com/',
}is encoded as --> &resource=https%3A%2F%2Fapi1.com%2F%2Chttps%3A%2F%2Fapi2.com%2F
so the comma can be used in your source code as feature to split. yes
charIeszhao
commented
6 months ago additionalParameters: { 'resource': 'https://api1.com/,https://ap2.com/', }is encoded as -->
&resource=https%3A%2F%2Fapi1.com%2F%2Chttps%3A%2F%2Fapi2.com%2Fso the comma can be used in your source code as feature to split. yes
Thanks for the confirmation. Then it sounds like we can support the comma separated format. Will add this to our roadmap
charIeszhao
commented
5 months ago This feature should be avalable in the next release. Please stay tuned.
michelerenzullo
commented
5 months ago Yes thanks!
Adding multiple resource param when doing the AuthorizationRequest seems non-standard at least compared with Auth0 implementation, I understand if it is as it is with your services but would be nice to have a way to make it work generally since I can't request an authorisation code for multiple resources at same time right now if I don't use your dart sdk.
Example: using flutter_appauth we can use "additionalParameters" that is a Map<String,String> but can't define more than 1 resource. The problem is not arising with your dart sdk, but I was thinking if is possible to concatenate so that we gonna have
{'resource': 'http://test.com/feedback http://test.com/books'}
so the request won't look as a concatenation of resources but one ad only separated by a char, and the logto server will unpack it correctly
&resource%3Dhttps%3A%2F%2Ftest.com%2Ffeedback&resource%3Dhttps%3A%2F%2Ftest.com%2Fbooks&resource%3Dhttps%3A%2F%2Ftest.com%2Ffeedback%20https%3A%2F%2Ftest.com%2Fbooks