Implement token exchange #59
Conversation
angelakis
force-pushed
the
feature-token-exchange
branch
from
3919d57 to
2f85f83
Compare
src/oidcendpoint/oidc/token_coop.py
Outdated
| grant_type not in self.token_grant_types | ||
| or grant_type not in grant_types_supported | ||
| ): | ||
| raise ProcessError("Invalid grant type") |
There was a problem hiding this comment.
Add the grant_type value to the exception?
src/oidcendpoint/oidc/token_coop.py
Outdated
|
|
||
| return request | ||
|
|
||
| def _token_exchange_post_parse_request(self, request, client_id="", **kwargs): |
There was a problem hiding this comment.
We could override the parse_request method, add a request_cls param to override self.request_cls and provide the proper one depending on the grant_type. This way we can get rid of *_post_parse_request
There was a problem hiding this comment.
I'd rather add a get_request_class() method.
src/oidcendpoint/oidc/token_coop.py
Outdated
| elif grant_type == "urn:ietf:params:oauth:grant-type:token-exchange": | ||
| return self._token_exchange_post_parse_request(request, client_id, **kwargs) | ||
| else: | ||
| raise ProcessError("Invalid grant type") |
There was a problem hiding this comment.
Add the grant_type value to the exception?
src/oidcendpoint/oidc/token_coop.py
Outdated
| response_args = self._refresh_access_token(request, **kwargs) | ||
| elif grant_type == "urn:ietf:params:oauth:grant-type:token-exchange": | ||
| logger.debug("Token Exchange Request") | ||
| response_args = self._token_exchange(request, **kwargs) |
There was a problem hiding this comment.
Move this if/elif/elif to separate function?
|
Have a look at https://github.com/IdentityPython/oidcendpoint/blob/by_grant_type/src/oidcendpoint/oidc/token_coop.py |
|
I've even added a test based on an example in the RFC. |
|
And yes, I think we should get rid of Token and only keep TokenCoop. |
angelakis
force-pushed
the
feature-token-exchange
branch
from
2f85f83 to
a1f2199
Compare
|
We decided to use @rohe's by_grant_type branch and work on that to implement a simple Token Exchange functionality. I believe that our first goal should be to support exchanging access tokens for new access tokens with (the same or) altered scopes. In that regard I have just pushed the current implementation which seems to work. There's one simple change concerning by_grant_type and its configuration: There are multiple issues right now and the main one is probably how session works, and its dependency on state. We should discuss a way forward concerning that. Tests are also missing currently. Any other feedback welcome. |
angelakis
force-pushed
the
feature-token-exchange
branch
3 times, most recently
from
2e4a8d1 to
612dec9
Compare
|
Can you clean up the commits a little bit? Also it seems that there are extra changes in this PR that are not related to token exchange. |
src/oidcendpoint/client_authn.py
Outdated
| _cinfo = endpoint_context.cdb[client_id] | ||
| if isinstance(_cinfo, str): | ||
| if not _cinfo in endpoint_context.cdb: | ||
| if isinstance(_cinfo, str): # This is if _cinfo is a reference to another client_id |
angelakis
force-pushed
the
feature-token-exchange
branch
from
72c95b4 to
aa8e983
Compare
|
Pushed multiple tests both for the by-grant-type refactor and token exchange. They try to highlight the functionality we introduce so they will need changes once we decide on the token exchange features (or whether we allow specifying "default" on a grant_type in grant_types_supported). |
I could remove the isort commits and keep only the parts containing the actual changes in TokenCoop, if that's ok with @rohe. And if we want to do this even better I could split up the grant_types_supported changes and the token exchange ones. |
angelakis
force-pushed
the
feature-token-exchange
branch
from
aa8e983 to
e914eb8
Compare
|
That would be OK with me. |
angelakis
force-pushed
the
feature-token-exchange
branch
2 times, most recently
from
cee5f8a to
3ecb084
Compare
angelakis
force-pushed
the
feature-token-exchange
branch
from
3ecb084 to
f13e22d
Compare
angelakis
changed the base branch from
develop
to
feature-configurable-grant-types
angelakis
force-pushed
the
feature-token-exchange
branch
from
f13e22d to
76d1dc6
Compare
angelakis
force-pushed
the
feature-configurable-grant-types
branch
from
ffee2a9 to
ec006ad
Compare
angelakis
force-pushed
the
feature-token-exchange
branch
from
76d1dc6 to
a9a78cf
Compare
angelakis
changed the base branch from
feature-configurable-grant-types
to
new_session_handling
angelakis
force-pushed
the
feature-token-exchange
branch
from
a9a78cf to
a4afb20
Compare
|
Accidentally closed this while trying to push the rebased version to the new session handling. Seeing that this PR has changed a lot since its creation, it may be better to create a new one. |
3 participants
Update:
We decided to refactor token coop based on the by_grant_type branch. Check #59 (comment) for more info.
Original Message:
This is a pull request to implement token exchange a.k.a. RFC 8693.
The implementation will not be as straightforward as I first hoped it would be, as token exchange is an extension grant type used in the token endpoint.
Currently implemented token and tokencoop endpoints, do not have an easy way to add/configure new grant_types so I think we should refactor one of those two.
TokenCoop was selected to be refactored but we could in the future
just keep the new version instead of having both Token and the new
configurable/extendable TokenCoop.
I think it would be a good idea to use grant_types_supported as a configuration option to figure out what grant types the endpoint should support.
As I previously mentioned, this is still a work in progress and the actual token exchange code has not yet been implemented. RFC 8693 is broad so its implementation will need a discussion too.
Any feedback welcome.