Johannes Koch
Johannes Koch
@darrelmiller > To date when talking about OAuth2 flows, that generally defines which grant_type is used when making the token request. RFC7251 basically ignores the notion of flows and says...
A web browser does not react in a special way to `WWW-Authenticate: Bearer ...` as is does with `WWW-Authenticate: Basic ...`, probably because there is no defined user interaction involved....
As Couper is a lightweight API gateway, it can be _client_ or _resource server_ or both.
Couper sends a `401` if a token is missing. https://datatracker.ietf.org/doc/html/rfc7235#section-3.1: > The server generating a 401 response MUST send > a WWW-Authenticate header field (Section 4.1) containing at least one...
> We implemented go 1.13 error style checking a while ago, you can see in the example how it works > > https://github.com/golang-jwt/jwt/blob/6de17d3b3e986289b9b32d4febae39899bd838e2/example_test.go#L97-L117 If you remove some characters from the...
@SwapnilKhante No, I guess, it's not possible at the moment. Keep in mind that there is a difference between using jwt-bearer as _grant_ (`grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer`, `assertion=ey...`) and using it as a...
Using jwt-bearer as a _client authentication mechanism_ would be an alternative to specifying (client_id and) client_secret in the _Swagger UI_. However, if you want to support this alternative, there should...
> Or would you use the order of references in the access_control list? I guess that's the order in which access controls are (already) applied.
> Should we reply with some additional headers like https://github.com/sashabaranov/go-openai/blob/master/ratelimit.go#L10 ? This could also be interesting for our BE limiters. See also * https://github.com/ietf-wg-httpapi/ratelimit-headers and https://datatracker.ietf.org/doc/draft-ietf-httpapi-ratelimit-headers/ or https://greenbytes.de/tech/webdav/draft-ietf-httpapi-ratelimit-headers-latest.html * https://developer.okta.com/docs/reference/rl-best-practices/
@malud Would it be safe to ignore backend errors with `couper verify`?