django-oauth-toolkit icon indicating copy to clipboard operation
django-oauth-toolkit copied to clipboard

Published 20 hours ago verified publisher icon jazzband

Hard to extends with new grant-types (new RFCs)

Open matejsp opened this issue 3 years ago • 6 comments

  1. unable to add custom grant to a model (for admin ui):

For example:

- urn:ietf:params:oauth:grant-type:jwt-bearer
- urn:ietf:params:oauth:grant-type:token-exchange

https://oauthlib.readthedocs.io/en/latest/oauth2/grants/custom_grant.html

only solution is to modify meta directly:

oauth2_provider_models.AbstractApplication._meta.get_field(
    'authorization_grant_type'
).choices = (('urn:ietf:params:oauth:grant-type:jwt-bearer', _('Jwt Grant'))

unable to limit allowed grant types in choice (like removing unsupported or deprecated) Have a solution to specify the list in configuration or from configuration.

    authorization_grant_type = models.CharField(max_length=32,
                                                choices=GRANT_TYPES)

Length of 32 is not sufficient. Should be 64 or even 255 for future use.

matejsp avatar Feb 17 '22 07:02 matejsp

@matejsp Please cite the specific new RFCs. There are so many to choose from. Also, a PR to address this would be appreciated.

n2ygk avatar Mar 21 '22 14:03 n2ygk

RFCs: https://datatracker.ietf.org/doc/html/rfc7523 -> jwt grant https://datatracker.ietf.org/doc/html/rfc8693 -> token exchange

There is also: https://www.rfc-editor.org/rfc/rfc7522.html -> saml2 bearer

Point here is to allow adding custom grant types and not implementing all the RFCs that exists :)

For now I have worked around this issue by modifying djnago meta directly. We still use old version, but after we migrate to newer, I can come back and create some PRs.

matejsp avatar Mar 21 '22 14:03 matejsp

Actually this RFC is mostly relevant since it covers how to define custom types: https://datatracker.ietf.org/doc/html/rfc6755

matejsp avatar Mar 21 '22 14:03 matejsp

hello @n2ygk can i try this if its available? any pointers or things i need to look at before doing a PR?

bull500 avatar Oct 22 '23 17:10 bull500

@bull500 Please check in with @matejsp and see https://django-oauth-toolkit.readthedocs.io/en/latest/contributing.html and https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics to make sure this functionality has not been deprecated in OAuth 2.1.

Thanks!

n2ygk avatar Oct 23 '23 14:10 n2ygk

Well my initial bug was to support adding ANY custon grant types but there are some limitations in current implementation. It does not really matter what is still supported but what can be supported when new RFC is drafted or published and people want to extend it themselves.

We implemented ourselves 'jwt grant' for grant-type and client-assertion-type JWT_BEARER_GRANT_NAME = 'urn:ietf:params:oauth:grant-type:jwt-bearer' JWT_BEARER_CLIENT_ASSERTION_TYPE = 'urn:ietf:params:oauth:client-assertion-type:jwt-bearer'

I reported one solution for jwt grant assertion type in another task: https://github.com/jazzband/django-oauth-toolkit/issues/1259

matejsp avatar Oct 23 '23 15:10 matejsp