sdk-generator icon indicating copy to clipboard operation
sdk-generator copied to clipboard
verified publisher icon openfga

[All SDKs] OAuth token endpoint should be configurable

Open le-yams opened this issue 2 years ago • 7 comments

Description

For clients using OAuth2 credentials, the token endpoint is currently hardcoded in all SDKs (with /oauth/token value). Could it be possible to make it configurable? Or even better support oidc discovery?

I'm willing to contribute if that's something you would be interested in :)

Steps to take

Change the apiTokenIssuer field in the configuration to accept a full URL. So:

ApiTokenIssuer Endpoint SDK will hit
issuer.fga.example https://issuer.fga.example/oauth/token
https://issuer.fga.example https://issuer.fga.example/oauth/token
https://issuer.fga.example:8080 https://issuer.fga.example:8080/oauth/token
issuer.fga.example/some_endpoint https://issuer.fga.example/some_endpoint
https://issuer.fga.example/some_endpoint https://issuer.fga.example/some_endpoint
https://issuer.fga.example:8080/some_endpoint https://issuer.fga.example:8080/some_endpoint

Of course, we'll need to do some of the validations to ensure e.g. users are passing fields with https or http (and not e.g. ftp) and that the full url is valid

Related Issues

  • .NET SDK issue: https://github.com/openfga/dotnet-sdk/issues/30
  • (duplicate) https://github.com/openfga/sdk-generator/issues/197

SDKs to be updated

  • [ ] JS SDK (https://github.com/openfga/js-sdk/pull/139) by @marcoquotech
  • [x] Go SDK (https://github.com/openfga/sdk-generator/pull/275)
  • [x] .NET SDK (https://github.com/openfga/dotnet-sdk/pull/151) by @OsmanMElsayed
  • [x] Python SDK https://github.com/openfga/python-sdk/issues/136
  • [x] Java SDK (https://github.com/openfga/sdk-generator/pull/240)

le-yams avatar Nov 28 '23 15:11 le-yams

I opened the PR #240 for the Java SDK. I have prepared all other SDKs (go, js, dotnet and python) but I'll wait your review on this one before submitting them 😃.

le-yams avatar Nov 30 '23 08:11 le-yams

@le-yams do you still have the other sdk examples around? I know it's been a while!

danielloader avatar Aug 15 '24 14:08 danielloader

Hi I've opened the PR #421 for the Python SDK. Looking forward to a review

Divan009 avatar Oct 01 '24 18:10 Divan009

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.

stefan505 avatar Nov 15 '24 10:11 stefan505

Unfortunately, also the Python SDK still seems to experience this issue, as the suffix is hardcoded in the OAuth client's _obtain_token function.

Edit: Should be fixed now.

manuel-lang avatar Apr 02 '25 17:04 manuel-lang

Hi @dyeam0,

I implemented the fix for this in the dotnet SDK following the same pattern in the go, java & python SDKs. It would be great to get someone's 👀 on the PR: https://github.com/openfga/dotnet-sdk/pull/151

OsmanMElsayed avatar Nov 04 '25 11:11 OsmanMElsayed

@OsmanMElsayed Thanks for the PR! We will get someone lined up to review it for you.

dyeam0 avatar Nov 04 '25 14:11 dyeam0