Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFC9068: JWT access token #427

Closed
azmeuk opened this issue Feb 13, 2022 · 4 comments · Fixed by #586
Closed

RFC9068: JWT access token #427

azmeuk opened this issue Feb 13, 2022 · 4 comments · Fixed by #586
Labels
feature request
Milestone
Version 1.3

Comments

@azmeuk
Copy link
Collaborator

azmeuk commented Feb 13, 2022
edited
Loading

Currently we can use OAUTH2_ACCESS_TOKEN_GENERATOR to customize access token generation, so this is not too hard to generate JWTs by re-using mechanisms in generate_id_token.

However the recent RFC9068 standardize the claims the access token should carry.

I suggest making helpers in authlib to produce those tokens:

  • helper to generate JWT access token in IdP
  • helper to validate JWT access tokens for resource servers
  • helpers to validate JWT access token in the IdP introspection endpoint
  • token revocation endpoint should reject requests for JWT tokens, and return an unsupported_token_type error

What do you think?
@lepture
Copy link
Owner

lepture commented Feb 28, 2022

@azmeuk How about adding it to oauth2.rfc9068 package? Can you send a PR for this feature?

@azmeuk
Copy link
Collaborator Author

azmeuk commented Mar 6, 2022
edited
Loading

I might tackle this some day, but I won't probably have time to spent on this feature in a near future.

@azmeuk azmeuk changed the title Support for RFC9068: JWT access token RFC9068: JWT access token Oct 24, 2022
@lepture lepture added this to the Version 1.3 milestone Nov 1, 2022
This was referenced Jan 22, 2023
Open
Closed
@azmeuk
Copy link
Collaborator Author

azmeuk commented Aug 27, 2023
edited
Loading

My ideas on how this can be implemented:

  • Implement a BearerJWTTokenGenerator class that inherits from BearerTokenGenerator and that builds JWT access tokens. This should be used by IdP to generate JWT access tokens.
  • Implement a BearerJWTTokenValidator class that inherits from BearerTokenValidator, that decodes and validates JWT access tokens. This should be used by resource servers to validate JWT access tokens.

I wonder if we need a JWTTokenIntrospectionEndpoint, inheriting from IntrospectionEndpoint and returning token information about JWT access tokens for say resource servers that don't implement RFC9068 yet.

What do you think @lepture?

@lepture
Copy link
Owner

lepture commented Aug 28, 2023

Sound good to me. And you can use joserfc for JWT purposes. I will replace the authlib.jose module with joserfc.

@azmeuk azmeuk mentioned this issue Sep 5, 2023
Merged
@azmeuk azmeuk mentioned this issue Sep 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature request
Projects
None yet
Milestone
Version 1.3
Development

Successfully merging a pull request may close this issue.

RFC9068 implementation azmeuk/authlib
2 participants
@azmeuk @lepture