szuecs
commented
2 years ago @cedricve you would need an infrastructure or provider that is the authorization server that given a clientID and clientSecret will return JWT tokens. The token would be validated by this middleware handler. There are implementations for Github and Google IDP and our own, but I am also happy to review PRs for other implementations. Some people tried to use UI logins via GH/Google and there seems to be an issue with sessions https://github.com/zalando/gin-oauth2/issues/66. If you need this and are able to fix it I am happy to review, merge and publish a release. I don't have time to fix the session issue, in my tests it worked, but I have limited time to check it, right now.
cedricve
Hello zalando team,
I was interested in your implementation, and as far I do get it right. The implementation of this repo only covers the resource authorization but not the actual authorization service.
Currently I'm generating JWT tokens using a gin-jwt service. I'm using basic authentication to validate and generate a token, afterwards I'm using that token in Swagger API's to fetch resources.
Now I would like to use this implementation (well done btw), to leverage a more fine-grained access control using scope. I'm just wonderin where to start. I believe an UI would required to generate new apps (redirect_uri, client id, client secret, name). Afterwards that information can be used to fetch an authorization token and afterwards the access token. Once you have the latter, you can use your implementation to limit request to it's received scoped token.
I'm just wondering what would be the best way to implement the authorization behaviour, or what implementation should be used.
Thanks for everything! Cedric