-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Experimental Auth v2 API #2430
Experimental Auth v2 API #2430
Conversation
ec690fe
to
f45e75c
Compare
f45e75c
to
70d60c0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comments labeled comment are just comments ;)
it feels like the current separation in files is not the right one. the authorized_code flow can also be used with OpenID4VCI&VP, but those have their own files. I don't see a better separation at this point, so probably fine for now.
we're still missing the metadata endpoints (they are on /n2n, which means that public endpoints /authorize and /token can only be discovered on a non-public api...)
the pre-authorized_code
flow is currently in the VCR, but should probably move here ?
auth/api/auth/v2/session.go
Outdated
return &result | ||
} | ||
|
||
type Session struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment: RFC6749 3.1 Authorization Endpoint
Parameters sent without a value MUST be treated as if they were
omitted from the request. The authorization server MUST ignore
unrecognized request parameters. Request and response parameters
MUST NOT be included more than once.
Meaning param == ""
can be interpreted as the parameter is not present in the authorization request
(just nothing this as confirmation that "" == nil in this case)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Strings can't be nil, so go helps here :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exactly, "" != nil
but we can interpret it as such instead of using annoying *string
I agree.
That's right, I'd suggest new metadata endpoints under
Later on, I'd say. |
Intended to incrementally implement the new OAuth2 flows (authz code, OpenID4VP, later on OpenID4VC).
It is disabled by default, config flag (
auth.v2apienabled
) hidden.