Skip to content

Use token-endpoint instead of issuer for oauth2 authorization #136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
c-thiel opened this issue Sep 25, 2024 · 4 comments · Fixed by #186
Closed
1 task done

Use token-endpoint instead of issuer for oauth2 authorization #136

c-thiel opened this issue Sep 25, 2024 · 4 comments · Fixed by #186
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest

Comments

@c-thiel
Copy link

c-thiel commented Sep 25, 2024

Checklist

Describe the problem you'd like to have solved

Some IdPs do not use /oauth/token as a suffix for an oauth2 (not oauth!) token exchange.
Entra-id for example uses /oauth2/v2.0/token even though the old /oauth/token endpoint is still supported for backwards compatibility.

We currently cannot specify these endpoint as the suffix is hard coded:

python-sdk/openfga_sdk/oauth2.py

Line 73 in 41d5c1b

token_url = f"https://{configuration.api_issuer}/oauth/token"

Describe the ideal solution

Use either a /.well-known/openid-configuration to determine the token endpoint, or, maybe easier, allow users to specify the token endpoint directly (without suffixing it in the code snippet above).

Alternatives and current workarounds

Switch IdP - bad idea :)

References

No response

Additional context

No response
@c-thiel c-thiel added the enhancement New feature or request label Sep 25, 2024
@rhamzeh
Copy link
Member

rhamzeh commented Sep 28, 2024

We have an issue tracking this here: openfga/sdk-generator#238

If the plan described there is appropriate for you, let us know so that we can update the issue here

@rhamzeh rhamzeh mentioned this issue Sep 28, 2024
Open
5 tasks
@Divan009 Divan009 mentioned this issue Oct 1, 2024
Merged
4 tasks
@kanishk128
Copy link

Hey @rhamzeh @c-thiel , could this issue be assigned to me? I am thinking of implementing dynamic discovery

@rhamzeh rhamzeh moved this from Backlog to In progress in SDKs and Tooling Oct 21, 2024
@stefan505
Copy link

stefan505 commented Nov 15, 2024
edited
Loading

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.

@rhamzeh
Copy link
Member

rhamzeh commented Feb 19, 2025

This ticket has been done in #137 and can be closed

@rhamzeh rhamzeh closed this as completed Feb 19, 2025
@github-project-automation github-project-automation bot moved this from In progress to Done in SDKs and Tooling Feb 19, 2025
@rhamzeh rhamzeh mentioned this issue Apr 2, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers hacktoberfest
Projects
SDKs and Tooling
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: dynamic token issuer manuel-lang/python-sdk
4 participants
@rhamzeh @stefan505 @c-thiel @kanishk128