Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-597

Facilitate development of OAuth2 clients

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Won't Do
    • Affects Version/s: 4.0.0
    • Fix Version/s: Not Applicable
    • Component/s: OAuth 2.0
    • Labels:
      None

      Description

      While implementing the UMA resource server filter we discovered the requirement to interact as an OAuth2 client with external OAuth2 resource servers. Typically, client code obtains an OAuth2 access token and a refresh token and then interacts with the resource server. The resource server may reject the request because the access token has expired, in which case the client should refresh the token and retry the operation.

      Here is an example of how this may look in client code:

      // Create an OAuth2 client which will use a Handler for refreshing tokens.
      OAuth2Client oauth2Client = new OAuth2Client(authorizationServerHandler, accessToken, refreshToken);
      
      // OAuth2 client automatically handles token refresh.
      Promise<Response, NeverThrowsException> promise = oauth2Client.performAuthorizedRequest(request -> {
          // Passed in request already has authorization header set, so just set other fields.
          request.setUri(...);
          request.setMethod("GET");
      
          // Send request to resource server.
          return resourceServer.handle(request);
      });
      

      We should be able to extract such an API from the existing OpenIG OAuth2ClientFilter which already has similar functionality. The resulting API could handle several use cases:

      • the access token and refresh token have already been obtained by some external processing, e.g. in UMA the PAT and its associated refresh token may be supplied when the resource owner is first provisioned in the RS
      • the OAuth2 client is responsible for obtaining the access token and refresh token and interacting with the end-user and AS in order to obtain authorization. This is currently the goal of the OAuth2ClientFilter, but we may want to extract it out as a separate API for use in CHF.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              matthew Matthew Swift
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: