[All SDKs] OAuth token endpoint should be configurable and/or support oidc discovery

le-yams commented 1 year ago

Description

For clients using OAuth2 credentials, the token endpoint is currently hardcoded in all SDKs (with /oauth/token value). Could it be possible to make it configurable? Or even better support oidc discovery?

I'm willing to contribute if that's something you would be interested in :)

Steps to take

Change the `apiTokenIssuer` field in the configuration to accept a full URL. So:	`ApiTokenIssuer`	Endpoint SDK will hit
`issuer.fga.example`	`https://issuer.fga.example/oauth/token`
`https://issuer.fga.example`	`https://issuer.fga.example/oauth/token`
`https://issuer.fga.example:8080`	`https://issuer.fga.example:8080/oauth/token`
`issuer.fga.example/some_endpoint`	`https://issuer.fga.example/some_endpoint`
`https://issuer.fga.example/some_endpoint`	`https://issuer.fga.example/some_endpoint`
`https://issuer.fga.example:8080/some_endpoint`	`https://issuer.fga.example:8080/some_endpoint`

Of course, we'll need to do some of the validations to ensure e.g. users are passing fields with https or http (and not e.g. ftp) and that the full url is valid

Related Issues

.NET SDK issue: https://github.com/openfga/dotnet-sdk/issues/30
(duplicate) https://github.com/openfga/sdk-generator/issues/197

SDKs to be updated

[ ] JS SDK (https://github.com/openfga/js-sdk/pull/139) by @marcoquotech
[x] Go SDK (https://github.com/openfga/sdk-generator/pull/275)
[ ] .NET SDK
[ ] Python SDK https://github.com/openfga/python-sdk/issues/136
[x] Java SDK (https://github.com/openfga/sdk-generator/pull/240)

le-yams commented 12 months ago

I opened the PR #240 for the Java SDK. I have prepared all other SDKs (go, js, dotnet and python) but I'll wait your review on this one before submitting them 😃.

danielloader commented 3 months ago

@le-yams do you still have the other sdk examples around? I know it's been a while!

Divan009 commented 1 month ago

Hi I've opened the PR #421 for the Python SDK. Looking forward to a review

stefan505 commented 1 week ago

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.

openfga / sdk-generator