-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for easier extension of OAuth2 grants and add support for OpenID Connect Authorization Code Flow #39
base: main
Are you sure you want to change the base?
Conversation
...instead of an OAuth2Class instance that only wraps that config
I tried your OIDCClient and found out, that it throws an error if I reduce the scope to "openid", because it tries to match the at_hash with a non-existing access_token,
An error occurred during route handling or page rendering. Error: Invalid token response: id_token at_hash claim does not match access_token hash
Add a function to authorization_code_flow.ts function makeUrlSafe(hash: string) {
return hash.replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "");
} Use that in line 245 instead of manipulating the hash in line 243 const base64EncodedHash = base64Encode(leftHalf);
if (makeUrlSafe(base64EncodedHash) !== makeUrlSafe(atHash)) { |
Another finding: When using OpenID with Facebook, the id_token comes back with an empty string as |
There have been a few requests to add support for OpenID Connect (OIDC) related extensions to the OAuth2 protocol (#28, #29, #32).
Instead of adding these extensions to the OAuth2 client (making it more complex than it needs to be), I've decided to add a separate OIDC Client, living in its own subdirectory. That way, if you only need the OAuth2 client you can just continue to import it as is. If you do want to use OIDC specific features and APIs you'll be able to import those from
https://deno.land/x/oauth2_client/oidc.ts
.The OAuth2 and OIDC clients mostly share the same interface, with the OIDC client marking a few fields of the OAuth2 config required and adding a few extra options (like the URI of the userinfo endpoint).
This PR isn't quite ready to be merged yet, but we're getting there!
To Do
Future Work
This is a pretty basic implementation of an OIDC client so far.
Apart from the userinfo endpoint (#29), there's additional APIs that OIDC specifies, like
claims
parameterAnd then there's APIs that are often used with OIDC, but also apply to OAuth2, like
When this PR is merged I'll create a separate issue to track all these.