oauth2-mock-server icon indicating copy to clipboard operation
oauth2-mock-server copied to clipboard

Published 20 hours ago verified publisher icon axa-group

This project mandates JWTs for tokens, whilst OAuth 2.0 does not

Open ThisIsMissEm opened this issue 2 years ago • 1 comments

Summary

The OAuth 2.0 specifications do not mandate JWTs for access tokens and ID tokens (only OIDC does that, though there are OAuth 2.0 specifications that define JWTs for tokens). It might be worth clarifying whether you mean this project as an OIDC mock server or an OAuth 2.0 mock server.

If it's the latter, then supporting non-JWT tokens would be a good idea (as well as disabling the .well-known/openid-configuration endpoint and potentially supporting RFC8414 which is similar but different.

Also, OAuth 2.0 doesn't mandate that servers must support token introspection, so being able to disable that would be good.

Note: Filed this as a bug, as it's unclear the intent of this project because of the discrepancy between its name and the functionality implemented.

If this project were to support non-JWT access tokens, it could be used by folks developing services/apps for Mastodon and similar federated social media software, which tends to use OAuth 2.0 specs but not implement OIDC.

ThisIsMissEm avatar Oct 10 '23 16:10 ThisIsMissEm

@ThisIsMissEm Thanks a lot for this feedback.

Sadly, I'm not as well versed in RFCs than @poveden is. So you might need to help me a bit out in order to better understand the issue you're facing.

If this project were to support non-JWT access tokens, it could be used by folks developing services/apps for Mastodon and similar federated social media software, which tends to use OAuth 2.0 specs but not implement OIDC.

Could you please describe the pain points you're facing integrating oauth2-mock-server in that context? What doesn't work? What's missing? Maybe could you provide us with a view of the expected flows this integration would require and highlight where oauth2-mock-server is lacking?

nulltoken avatar Oct 11 '23 18:10 nulltoken

@ThisIsMissEm Closing due to inactivity. Feel free to message back would you want to discuss this further.

nulltoken avatar May 21 '24 12:05 nulltoken

Oh, sorry, I've just been busy. From what I can tell this project isn't actually an OAuth2 Mock Server but an OIDC Mock Server — i.e., it implements /.well-known/openid-configuration instead of /.well-known/oauth-authorization-server (RFC8414)

So if someone were to try to use this project to mock an OAuth 2 Authorization Server, they'd be getting inconsistency with how their authorization server actually acts.

You may also want to disable usage of Resource Owner Password Grants by default, since these are deprecated by OAuth 2.1: https://drafts.oauth.net/oauth-v2-1/draft-ietf-oauth-v2-1.html

ThisIsMissEm avatar May 27 '25 19:05 ThisIsMissEm

So like, JWTs being used for access tokens and refresh tokens is an OIDC thing, not a default OAuth thing, though OAuth servers can also use JWTs for access tokens and refresh tokens, by default the OAuth access tokens and refresh tokens are just an opaque string.

ThisIsMissEm avatar May 27 '25 19:05 ThisIsMissEm

One potential direction is to add "profiles" to the implementation, which would give you an OIDC profile or an opaque token profile, which would change which endpoint is used for authorization server metadata, change whether or not JWTs are used, etc.

ThisIsMissEm avatar May 27 '25 19:05 ThisIsMissEm