Open kosplay opened 4 years ago
Currently you can pass a URL to validate
as https://vouch.yourdomain.com/validate?access_token=${TOKEN} and it will return 200 OK
or 401 Unauthorized
. @kosplay does that satisfy your need?
Some of the conversation in #157 discusses the limitations of hashes. They are never transmitted to the server by the browser. https://github.com/vouch/vouch-proxy/issues/157#issuecomment-540706500
The access_token
param can be renamed by config...
https://github.com/vouch/vouch-proxy/blob/master/.defaults.yml#L41
here's the code where the access_token
param is checked after looking for the JWT in the cookie and then the `Authorization: Bearer $JWT`` header.
https://github.com/vouch/vouch-proxy/blob/master/pkg/jwtmanager/jwtmanager.go#L248-L252
Thank you for the prompt response! Sorry for not being clear. Read #157 and it is irrelevant.
I got stuck on auth.go redirect to the 'requestedURL' after successfully issuing jwt, as shown below:
responses.Redirect302(w, r, requestedURL)
As lots of JavaScript libraries implement different ways to do call /auth, some expect a JSON response (if a JavaScript library in authorization code grant flow initiates a XHR request) and others may expect an URL with hash segments containing access_token (when implicit flow is used and it comes back to the application after a series of redirects).
Original question was mean to ask if those will be supported.
The context is that I'm trying to get PingIdentity and Angular (with angular-oauth-oidc) working, PingIdentity server have no problem with it but I'm figuring out how to send a response (containing access_token) which angular-oauth-oidc would recognize.
Can you please provide an example/mock of a request to Vouch Proxy and what you'd like to get as a response for both success and failure?
On Wed, Jun 24, 2020, 3:31 PM Yumeng Sun notifications@github.com wrote:
Thank you for the prompt response! Sorry for not being clear. Read #157 https://github.com/vouch/vouch-proxy/issues/157 and it is irrelevant. I got stuck on auth.go redirect to the 'requestedURL' after successfully issuing jwt, as shown below: responses.Redirect302(w, r, requestedURL)
As lots of JavaScript libraries implement different ways to do call /auth, some expect a JSON response (if a JavaScript library in authorization code grant flow initiates a XHR request) and others may expect an URL with hash segments containing access_token (when implicit flow is used and it comes back to the application after a series of redirects).
Original question was mean to ask if those will be supported.
The context is that I'm trying to get PingIdentity and Angular (with angular-oauth-oidc) working, PingIdentity server have no problem with it but I'm figuring out how to send a response (containing access_token) which angular-oauth-oidc would recognize.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/vouch/vouch-proxy/issues/285#issuecomment-649107452, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJUV26ZKLJYTEMFN6BTGK3RYJ5FXANCNFSM4OE7LEFQ .
@kosplay I'm thinking something like if the Content-Type: application/json
header is present, then return the user information usually contained in the headers in a json blob of some sort.
WDYT?
How is angular-oauth-oidc expecting the access_token? How else will the token be used in the app? I'd expect you'd really want the user's information, not the access token.
First, appreciate your valuable input. I'm aware that 'Vouch Proxy relies on the ability to share a cookie between the Vouch Proxy server and the application it's protecting. ' And it is the first line of the doc.
Any consideration in implementing passing access_token in requestedURL as hash fragment? Any concern to share if that isn't consider? Lots of Angular apps use this https://www.npmjs.com/package/angular-oauth2-oidc and it doesn't read the cookie.