logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

feature request: in token endpoint, allow passing `resource` in querystring in addition to body

Open notpushkin opened this issue 2 years ago β€’ 6 comments

What problem did you meet?

resource doesn't seem to be an official OAuth2 parameter, and many client libraries don't support it out of the box – notably, Authlib in Python and the Swagger UI (https://github.com/swagger-api/swagger-ui/pull/9249).

Describe what you'd like Logto to have

If Logto accepted resource in URL, it could be β€œhardcoded” in the URL passed to OAuth2 client libs:

token_endpoint = "https://logto.example.net/oidc/token?resource=https%3A%2F%2Fdefault.logto.app%2Fapi"

client = AsyncOAuth2Client(client_id, client_secret)
client.fetch_token(token_endpoint, grant_type="client_credentials", scope="all")

POST /oidc/token?resource=https://default.logto.app/api

grant_type=client_credentials&scope=all

This would allow plugging Logto into any OAuth2-compliant client in situations when using the SDK might be inconvenient or undesired.

notpushkin avatar Oct 02 '23 15:10 notpushkin

Possible alternative: accept resource in the /oidc/auth endpoint (like Auth0 does: GET /authorize – perhaps also rename it audience for interoperability?)

notpushkin avatar Oct 02 '23 15:10 notpushkin

Could you please provide additional details regarding the specific use case or scenario?

wangsijie avatar Oct 08 '23 06:10 wangsijie

@wangsijie Sure! Here's an example:

I'm using FastAPI on the backend and it provides automatic Swagger UI on the /docs endpoint, which is super useful for testing. I want to integrate Logto authorization in this docs endpoint, so that I can test authenticated endpoints as well.

However, Swagger UI doesn't have a mechanism to add the resource parameter to the request sent to the token endpoint. So if I specify https://example.logto.app/oidc/token as the token endpoint, it wouldn't know which API to issue the token for.

As a workaround, I've added my own endpoint that adds resource and proxies the request to Logto. I then specify this endpoint as the token endpoint for Swagger UI to use.

It works, but feels like a hack. It's also only possible because I control the backend and can add another endpoint. If I could instead specify https://example.logto.app/oidc/token?resource=... as the token endpoint directly, I wouldn't need the proxy endpoint at all.

notpushkin avatar Oct 08 '23 12:10 notpushkin

@notpushkin not sure if this helps but you may mark a specific resource as default so it can be omitted in your auth request. That might work as long as all your APIs share the same root path.

https://docs.logto.io/docs/references/resources/#default-api

image

simeng-li avatar Oct 09 '23 02:10 simeng-li

@simeng-li That does sound like a possible solution for a single API (doesn't work for multiple API endpoints though), but it didn't work for me when I tried it – the token issued by the /oidc/token endpoint still wasn't JWT. Should I give it another try and file a bug if it still doesn't work?

notpushkin avatar Oct 09 '23 14:10 notpushkin

Hmm, that should not happen. Could you double-check the value of the scope parameter in your /oidc/token request?

image

The auth server will issue the default resource's access_token only if:

  • no resource parameter is specified in the token exchange request
  • the requested scope does not include openid

Let me know if it still does not work for you.

simeng-li avatar Oct 13 '23 03:10 simeng-li

@notpushkin I am closing this issue now, feel free to reopen if you have any furthur questions.

wangsijie avatar Jan 15 '24 02:01 wangsijie