Closed sgal closed 1 year ago
igorcavalcante
commented
1 year ago It's a very interesting matter, I am working on a oidc solution with a load fo 50M users and spikes of 30k full auth cylces persecond, do claim checks like expiration dates via introspection is something to be avoided.
aeneasr
commented
1 year ago There are two ways to address this from a client perspective:
I think the first option is easier to implement than the second option. Currently, we switch the token strategy based on the config here:
If the requester
contains the client, we could potentially use that as an override for the strategy here
However, I'm not sure how that would impact the subject identifier verification. Currently, validation seems to happen in these places:
So any change to this logic would require end-to-end tests to ensure that the behavior is correct.
sgal
commented
1 year ago I think option 1 would be more scalable for flows that do not use consent, like jwt-bearer. I'm not sure if pairwise support is needed there, seems like an extreme edge case. But token type would be great to have in that grant type.
aeneasr
commented
1 year ago The problem is that we need to validate for these edge cases, because otherwise the behavior is incorrect, which could potentially imply that we'll fail OpenID certification. So while it is an edge case, it has to be considered and properly handled :)
sgal
commented
1 year ago I think we're on the same page here. rfc7523 is only oAuth2 and it has no mention of pairwise or any other subject obfuscation, so would it break the OIDC certification if we skip pairwise there?
aeneasr
commented
1 year ago I'm not quite sure if I understand, in this feature request we would issue JWT access tokens for OAuth2 Clients that asks us to do so. That impacts all OAuth2 and OpenID Connect flows, which is we need to make sure that they behave according to spec.
We can also limit this feature to RFC7523 only, but I think we could solve this for the general use case "this client should get JWT access tokens".
Preflight checklist
Describe your problem
We have a login solution based on Hydra that serves both internal clients (meaning oauth2 clients) and external clients.
For internal clients, we have an existing codebase that is built around JWT tokens that is hard to migrate to opaque. These clients also use internal identifiers as subjects in access tokens.
For external clients, we would like to use the pairwise subjects feature and opaque tokens that come with it.
We also want to have Single Sign On support between internal/external clients.
Currently, Hydra only supports a global configuration of token types, which prevents us from enabling the pairwise subjects feature for external clients, while keeping internal clients unchanged.
Describe your ideal solution
It would be great to be able to configure token type per client, similar to how it is done with token TTL values. With that, our internal clients would stay on JWT tokens and internal identifiers as subjects, and we could also enable external clients with pairwise subjects and opaque tokens.
Workarounds or alternatives
Version
2.x
Additional Context
No response