oidc-op icon indicating copy to clipboard operation
oidc-op copied to clipboard

Published 20 hours ago verified publisher icon IdentityPython

Token exchange support

Open ctriant opened this issue 3 years ago • 11 comments

ctriant avatar Dec 09 '21 15:12 ctriant

Run darker on this. Other than this LGTM.

@rohe @peppelinux what do you think?

nsklikas avatar Jan 26 '22 08:01 nsklikas

Nice set of tests !

rohe avatar Feb 06 '22 08:02 rohe

We merged this in our private fork, here are some things that need to be done:

  • Check that the new scopes are a subset of the allowed scopes for the client
  • Set the expires_at of the new token to be the same as the original token's. This would stop a client from getting an access token from another client and using token exchange to refresh it indefinitely.
  • Do we need to check whether the client using the token is allowed to do so? (in the case where the token wasn't issued for them)

nsklikas avatar Feb 07 '22 11:02 nsklikas

@nsklikas we just have two conflicting files right now :)

peppelinux avatar Feb 24 '22 13:02 peppelinux

@peppelinux @nsklikas Hello, are you planning to merge this in public repository? I would really like to have token exchange in SATOSA.

melanger avatar Aug 01 '22 11:08 melanger

@peppelinux @nsklikas Hello, are you planning to merge this in public repository? I would really like to have token exchange in SATOSA.

Hello! It is already supported in idpy-oidc. https://github.com/IdentityPython/idpy-oidc/tree/main

ctriant avatar Aug 02 '22 08:08 ctriant

It's supported in idpy-oidc but the official SATOSA version at IdentityPython is still not based on idpy-oidc.

rohe avatar Aug 02 '22 14:08 rohe

The default OIDC frontend in SATOSA uses pyop and oic, but I am using satosa-oidcop which uses this library (oidc-op).

It's supported in idpy-oidc but the official SATOSA version at IdentityPython is still not based on idpy-oidc.

So which library is the "new" one? I though it is this one.

melanger avatar Aug 03 '22 07:08 melanger

idpy-oidc is where the action is.

rohe avatar Aug 03 '22 07:08 rohe

idpy-oidc is where the action is.

So let me recap:

What are the development plans? Are you going to support oidc-op until idpy-oidc is mature enough and integrated with SATOSA?

melanger avatar Aug 04 '22 10:08 melanger

Good questions all. I'm responsible for the OIDC/OAuth2 libraries within IdentityPython and I would like SATOSA to switch to using idpy-oidc as soon as possible. I think there is a SATOSA frontend, based on idpy-oidc, in the EduTeams implementation but it isn't public yet.

rohe avatar Aug 04 '22 11:08 rohe