Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

0.6.0 #293

Merged
merged 50 commits into from
Oct 25, 2016
Merged

0.6.0 #293

merged 50 commits into from
Oct 25, 2016

Conversation

aeneasr
Copy link
Member

@aeneasr aeneasr commented Oct 9, 2016
edited
Loading

  • apiary/gb: document introspection endpoint, document separate token requirement
    • apiary
    • gb
  • apiary: document public client
  • gb: document public client
  • cmd: add public client flag
  • apiary: remove connection
  • gb: update to mysql/postgres
  • docker: update to mysql/postgres
  • readme: remove wall of text
  • oauth2: write client + tests for token revocation
  • all: sql adapters, obviously
  • client: come up with a better storage strategy for sql
  • better fosite storage tests
  • document warden parameters in gitbook
  • example is now http only, update docs
  • fix issue where jwks can not be found after re-boot
  • document ?parseTime=true mysql requirement
  • document how to connect to postgres
  • add test for empty oauth2 client id
  • add aud claim to token introspection

bc breaks:

  • removed connection
  • mysql

@andrewmcnamara
Copy link

The DATABASE_URL environment variable doesn't seem to be picked up anymore when starting under this branch.

@aeneasr
Copy link
Member Author

aeneasr commented Oct 11, 2016

@andrewmcnamara this branch is wip :)

@aeneasr aeneasr mentioned this pull request Oct 16, 2016
Closed
Aeneas Rekkas (arekkas) and others added 9 commits October 16, 2016 18:58
@aeneasr aeneasr self-assigned this Oct 16, 2016
@aeneasr aeneasr added bug Something is not working. feat New feature or request. documentation breaking change Changes behavior in a breaking manner. labels Oct 16, 2016
@aeneasr aeneasr added this to the 0.6.0 milestone Oct 16, 2016
@aeneasr aeneasr mentioned this pull request Oct 16, 2016
Closed
@aeneasr
Copy link
Member Author

aeneasr commented Oct 18, 2016

@janekolszak check out 1d20c6e

janekolszak
janekolszak reviewed Oct 18, 2016
View reviewed changes
client/manager_sql.go
ID string `db:"id"`
Version int `db:"version"`
Client []byte `db:"client"`
ID string `db:"id"`
Copy link

@janekolszak janekolszak Oct 18, 2016
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now it looks much simpler and better.

Plain SQL will be a great advantage. It's fast and predictable.

janekolszak
janekolszak reviewed Oct 18, 2016
View reviewed changes
client/manager_sql.go
ResponseTypes string `db:"response_types"`
Scope string `db:"scope"`
Owner string `db:"owner"`
PolicyURI string `db:"policy_uri"`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd divide this table into two - one with OIDC specific data and one with the ClientInfo.
I'm not sure Hydra should handle ClientInfo part at all. It looks IdP specific and I know I will have to add some fields in my service and not use others. I might as well store my own version of ClientInfo

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's the default data that makes hydra compliant with https://tools.ietf.org/html/rfc7592 - you can still use your own metadata storage

@coveralls
Copy link

Coverage Status

Coverage increased (+10.9%) to 68.758% when pulling c51397f on prepare-0.6.0 into f5299a1 on master.

Aeneas Rekkas (arekkas) added 2 commits October 24, 2016 15:01
@waynerobinson
Copy link

Our use case is preventing issues with backwards compatibility based on what we've implemented.

The existing version uses aud, not client_id as they are practically the same thing.

And it's the way we identify a client credentials token from a standard auth one, because these fields match.

And what spec?

If you're going to use the JWT fields of iat, exp, etc. Mixing in the non-JWT client_id when aud represents the same thing is very strange.

@aeneasr
Copy link
Member Author

aeneasr commented Oct 24, 2016

https://tools.ietf.org/html/rfc7662#section-2.2

client_id
OPTIONAL. Client identifier for the OAuth 2.0 client that
requested this token.

aud
OPTIONAL. Service-specific string identifier or list of string
identifiers representing the intended audience for this token, as
defined in JWT [RFC7519].

We could include both, though. Btw BC breaks are part of the minor versioning and the reason why Hydra is not marked as stable (major version 1) yet. :)

@waynerobinson
Copy link

But you use the Client ID as the AUD in the OpenID token now right? So the behaviour is inconsistent. And you really need some way of marking an access token as a client credentials (subject-free) version.

@aeneasr
Copy link
Member Author

aeneasr commented Oct 24, 2016

And you really need some way of marking an access token as a client credentials (subject-free) version.

I don't think that the subject of a client credentials token should be empty. It should be the client id. In which case it's pretty easy to figure out by checking if client_id == subject.

But you use the Client ID as the AUD in the OpenID token now right?

Yes, this is why I offered two times to include the aud claim as well!

@waynerobinson
Copy link

Adding the aud claim would be great!

Sorry, didn't notice that above.

@aeneasr aeneasr merged commit 8256356 into master Oct 25, 2016
@aeneasr aeneasr deleted the prepare-0.6.0 branch October 25, 2016 10:01
@waynerobinson
Copy link

Our use case is preventing issues with backwards compatibility based on
what we've implemented.

The existing version uses aud, not client_id as they are practically the
same thing.

And it's the way we identify a client credentials token from a standard
auth one, because these fields match.

On Monday, 24 October 2016, Aeneas notifications@github.com wrote:

@andrewmcnamara https://github.com/andrewmcnamara per spec, client_id
is the right value. we could add the aud claim too though. What's your use
case?


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#293 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAG4poWcAlC_GF-gBSu_a6T4-Njawyilks5q3FJsgaJpZM4KSFxV
.

@waynerobinson
Copy link

And what spec?

If you're going to use the JWT fields of iat, exp, etc. Mixing in the
non-JWT client_id when aud represents the same thing is very strange.

On Monday, 24 October 2016, Wayne Robinson wayne.robinson@gmail.com wrote:

Our use case is preventing issues with backwards compatibility based on
what we've implemented.

The existing version uses aud, not client_id as they are practically the
same thing.

And it's the way we identify a client credentials token from a standard
auth one, because these fields match.

On Monday, 24 October 2016, Aeneas <notifications@github.com
javascript:_e(%7B%7D,'cvml','notifications@github.com');> wrote:

@andrewmcnamara https://github.com/andrewmcnamara per spec, client_id
is the right value. we could add the aud claim too though. What's your use
case?


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#293 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAG4poWcAlC_GF-gBSu_a6T4-Njawyilks5q3FJsgaJpZM4KSFxV
.

@waynerobinson
Copy link

Is the scope/s key also different?

On Monday, 24 October 2016, Andrew McNamara notifications@github.com
wrote:

@arekkas https://github.com/arekkas Token introspection no longer
returns the "aud" field which is part of the JWT spec. Instead it returns a
client_id field. Can the introspect response be change to include "aud"?

Current Hydra (version 5)

hydra token validate TBpyZhWoJGB7xvuyPzL2jZPuEazYnmdm7wYfG32k3qc.mr3OtSkj90d_lf584s4dktwlO7BB0oNnkq6FNI072zk
{
"sub": "f13d49c3-b61d-4fbc-b0a7-048a5f138115",
"scopes": [
"hydra"
],
"iss": "hydra.localhost",
"aud": "f13d49c3-b61d-4fbc-b0a7-048a5f138115",
"iat": "2016-10-24T14:23:57.897+11:00",
"exp": "2016-10-24T15:23:57.897+11:00",
"ext": null
}

New Hydra

hydra token validate "qLmMAnvRtXeGs3fvKYqtsv9XqKeTe3ORZ0aDmZ6PKN4.fMIFVa7LpFYXwZ61CI_WsWNEbrLlKBsnOIgBCI6IT5g"
{
"active": true,
"scope": "hydra",
"client_id": "828c4958-4359-49d6-83be-02e235841c64",
"sub": "828c4958-4359-49d6-83be-02e235841c64",
"exp": 1477280498,
"iat": 1477276899
}


You are receiving this because you commented.
Reply to this email directly, view it on GitHub
#293 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AAG4psqUOWje53jMYJ7WncyIu0ux-DCRks5q3CmJgaJpZM4KSFxV
.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@janekolszak janekolszak janekolszak approved these changes

Assignees

@aeneasr aeneasr

Labels
breaking change Changes behavior in a breaking manner. bug Something is not working. feat New feature or request.
Projects
None yet
Milestone
0.6.0
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@aeneasr @andrewmcnamara @coveralls @waynerobinson @janekolszak @arekkas