Support for opaque access tokens
169 views
Skip to first unread message
Magne Bratseth
Apr 13, 2023, 4:23:44 AM4/13/23
to WildFly
Hi
I am trying to use Elytron OIDC to authenticate users, using different identity providers.
But as others have already commented, and the issue https://issues.redhat.com/browse/ELY-2202 states, Elytron assumes the access token is always a valid JWT.
I am not sure what the best way to add support for opaque access tokens is. But I am willing to spend some time coding and submitting a pull request if someone can guide me to what the proper solution would be. For my case (only authentication), a simple approach with an configuration option to either skip the access token or not fail if it is not a valid JWT would be enough.
Best regards,
Magne
I am trying to use Elytron OIDC to authenticate users, using different identity providers.
But as others have already commented, and the issue https://issues.redhat.com/browse/ELY-2202 states, Elytron assumes the access token is always a valid JWT.
I am not sure what the best way to add support for opaque access tokens is. But I am willing to spend some time coding and submitting a pull request if someone can guide me to what the proper solution would be. For my case (only authentication), a simple approach with an configuration option to either skip the access token or not fail if it is not a valid JWT would be enough.
Best regards,
Magne
Diana Krepinska
Apr 19, 2023, 11:06:19 AM4/19/23
to WildFly
Hello Magne,
Thank you for interest! We will look into what the implementation for opaque access token validation would entail and I will get back to you with further details.
Diana Krepinska
Apr 25, 2023, 4:37:51 PM4/25/23
to WildFly
Hello Magne,
Adding support for opaque access tokens requires the addition of introspection endpoint calls to verify that the opaque token is active and to retrieve the relevant information. The implementation for this would be added to the module here . Some relevant access token processing for cases when the token is JWT can be seen here.
The implementation requires adding a new option to the oidc.json to be able to configure an introspection endpoint URL.
Please let us know if you have any questions,
Thanks!
Magne Bratseth
Apr 27, 2023, 1:57:39 AM4/27/23
to WildFly
Hello Diana,
I will start looking at this soon. Thanks for the pointers.
Best regards,
Magne
Magne
Magne Bratseth
Jun 13, 2023, 8:52:58 AM6/13/23
to WildFly
Hi,
I have started looking at the code and gathering some more details about the introspection endpoints and their use. But I have hit a bit of a snag.
Neither of the two identity providers I am tasked with supporting (Google and Oauth0) have an introspection endpoint, so that is unfortunate.
Also, when investigating, I read that access tokens should only be used when calling APIs and not by the application itself. So for me it seems that we shouldn't even be checking the access token when authenticating users, or am I missing something here?
I guess the way that it works now may be specific for Keycloak?
Neither of the two identity providers I am tasked with supporting (Google and Oauth0) have an introspection endpoint, so that is unfortunate.
Also, when investigating, I read that access tokens should only be used when calling APIs and not by the application itself. So for me it seems that we shouldn't even be checking the access token when authenticating users, or am I missing something here?
I guess the way that it works now may be specific for Keycloak?
Best regards,
Magne
Magne
Diana Krepinska
Jul 20, 2023, 5:59:34 AM7/20/23
to WildFly
Hi Magne,
I am very sorry about my late response. If the access token is meant to be used with WF as the recipient, there is a need a way to validate it. A different use case is if the Google's opaque access token is meant to be used with google's APIs, then we might not need to do a validation with the introspection endpoint. So maybe there could be a setting to configure whether the introspection should take place.
Reply all
Reply to author
Forward
0 new messages