Experimental Auth v2 API #2430
Experimental Auth v2 API #2430
Conversation
reinkrul
force-pushed
the
oauth2-server-poc2
branch
from
ec690fe
to
f45e75c
Compare
reinkrul
force-pushed
the
oauth2-server-poc2
branch
from
f45e75c
to
70d60c0
Compare
There was a problem hiding this comment.
comments labeled comment are just comments ;)
it feels like the current separation in files is not the right one. the authorized_code flow can also be used with OpenID4VCI&VP, but those have their own files. I don't see a better separation at this point, so probably fine for now.
we're still missing the metadata endpoints (they are on /n2n, which means that public endpoints /authorize and /token can only be discovered on a non-public api...)
the pre-authorized_code flow is currently in the VCR, but should probably move here ?
auth/api/auth/v2/session.go
Outdated
| return &result | ||
| } | ||
|
|
||
| type Session struct { |
There was a problem hiding this comment.
comment: RFC6749 3.1 Authorization Endpoint
Parameters sent without a value MUST be treated as if they were
omitted from the request. The authorization server MUST ignore
unrecognized request parameters. Request and response parameters
MUST NOT be included more than once.
Meaning param == "" can be interpreted as the parameter is not present in the authorization request
(just nothing this as confirmation that "" == nil in this case)
There was a problem hiding this comment.
Strings can't be nil, so go helps here :-)
There was a problem hiding this comment.
exactly, "" != nil but we can interpret it as such instead of using annoying *string
I agree.
That's right, I'd suggest new metadata endpoints under
Later on, I'd say. |
Intended to incrementally implement the new OAuth2 flows (authz code, OpenID4VP, later on OpenID4VC).
It is disabled by default, config flag (
auth.v2apienabled) hidden.