access_token in requestedURL hash segment for Angular and client side javascript OIDC support

[kosplay]

First, appreciate your valuable input. I'm aware that 'Vouch Proxy relies on the ability to share a cookie between the Vouch Proxy server and the application it's protecting. ' And it is the first line of the doc.

Any consideration in implementing passing access_token in requestedURL as hash fragment? Any concern to share if that isn't consider? Lots of Angular apps use this https://www.npmjs.com/package/angular-oauth2-oidc and it doesn't read the cookie.

[bnfinet]

Currently you can pass a URL to validate as https://vouch.yourdomain.com/validate?access_token=${TOKEN} and it will return 200 OK or 401 Unauthorized. @kosplay does that satisfy your need?

Some of the conversation in #157 discusses the limitations of hashes. They are never transmitted to the server by the browser. https://github.com/vouch/vouch-proxy/issues/157#issuecomment-540706500

The access_token param can be renamed by config... https://github.com/vouch/vouch-proxy/blob/master/.defaults.yml#L41

here's the code where the access_token param is checked after looking for the JWT in the cookie and then the `Authorization: Bearer $JWT`` header. https://github.com/vouch/vouch-proxy/blob/master/pkg/jwtmanager/jwtmanager.go#L248-L252

[kosplay]

Thank you for the prompt response! Sorry for not being clear. Read #157 and it is irrelevant. I got stuck on auth.go redirect to the 'requestedURL' after successfully issuing jwt, as shown below: responses.Redirect302(w, r, requestedURL)

As lots of JavaScript libraries implement different ways to do call /auth, some expect a JSON response (if a JavaScript library in authorization code grant flow initiates a XHR request) and others may expect an URL with hash segments containing access_token (when implicit flow is used and it comes back to the application after a series of redirects).

Original question was mean to ask if those will be supported.

The context is that I'm trying to get PingIdentity and Angular (with angular-oauth-oidc) working, PingIdentity server have no problem with it but I'm figuring out how to send a response (containing access_token) which angular-oauth-oidc would recognize.

[bnfinet]

Can you please provide an example/mock of a request to Vouch Proxy and what you'd like to get as a response for both success and failure?

On Wed, Jun 24, 2020, 3:31 PM Yumeng Sun notifications@github.com wrote:

Thank you for the prompt response! Sorry for not being clear. Read #157 https://github.com/vouch/vouch-proxy/issues/157 and it is irrelevant. I got stuck on auth.go redirect to the 'requestedURL' after successfully issuing jwt, as shown below: responses.Redirect302(w, r, requestedURL)

As lots of JavaScript libraries implement different ways to do call /auth, some expect a JSON response (if a JavaScript library in authorization code grant flow initiates a XHR request) and others may expect an URL with hash segments containing access_token (when implicit flow is used and it comes back to the application after a series of redirects).

Original question was mean to ask if those will be supported.

The context is that I'm trying to get PingIdentity and Angular (with angular-oauth-oidc) working, PingIdentity server have no problem with it but I'm figuring out how to send a response (containing access_token) which angular-oauth-oidc would recognize.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/vouch/vouch-proxy/issues/285#issuecomment-649107452, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJUV26ZKLJYTEMFN6BTGK3RYJ5FXANCNFSM4OE7LEFQ .

[bnfinet]

@kosplay I'm thinking something like if the Content-Type: application/json header is present, then return the user information usually contained in the headers in a json blob of some sort.

WDYT?

How is angular-oauth-oidc expecting the access_token? How else will the token be used in the app? I'd expect you'd really want the user's information, not the access token.