Skip to content

[All SDKs] OAuth token endpoint should be configurable and/or support oidc discovery #238

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
3 of 5 tasks
le-yams opened this issue Nov 28, 2023 · 5 comments
Open
3 of 5 tasks

[All SDKs] OAuth token endpoint should be configurable and/or support oidc discovery #238

le-yams opened this issue Nov 28, 2023 · 5 comments
Labels
dotnet-sdk Affects the C#/DotNet SDK enhancement New feature or request go-sdk Affects the Go SDK good first issue Good for newcomers hacktoberfest java-sdk Affects the Java/Kotlin SDK js-sdk Affects the JavaScript SDK python-sdk Affects the Python SDK

Comments

@le-yams
Copy link
Contributor

le-yams commented Nov 28, 2023
edited by rhamzeh
Loading

Description

For clients using OAuth2 credentials, the token endpoint is currently hardcoded in all SDKs (with /oauth/token value).
Could it be possible to make it configurable? Or even better support oidc discovery?

I'm willing to contribute if that's something you would be interested in :)

Steps to take

Change the apiTokenIssuer field in the configuration to accept a full URL.
So:

ApiTokenIssuer Endpoint SDK will hit
issuer.fga.example https://issuer.fga.example/oauth/token
https://issuer.fga.example https://issuer.fga.example/oauth/token
https://issuer.fga.example:8080 https://issuer.fga.example:8080/oauth/token
issuer.fga.example/some_endpoint https://issuer.fga.example/some_endpoint
https://issuer.fga.example/some_endpoint https://issuer.fga.example/some_endpoint
https://issuer.fga.example:8080/some_endpoint https://issuer.fga.example:8080/some_endpoint

Of course, we'll need to do some of the validations to ensure e.g. users are passing fields with https or http (and not e.g. ftp) and that the full url is valid

Related Issues

SDKs to be updated
@le-yams le-yams mentioned this issue Nov 30, 2023
Merged
4 tasks
@le-yams
Copy link
Contributor Author

le-yams commented Nov 30, 2023

I opened the PR #240 for the Java SDK. I have prepared all other SDKs (go, js, dotnet and python) but I'll wait your review on this one before submitting them 😃.

@rhamzeh rhamzeh added enhancement New feature or request go-sdk Affects the Go SDK dotnet-sdk Affects the C#/DotNet SDK js-sdk Affects the JavaScript SDK python-sdk Affects the Python SDK java-sdk Affects the Java/Kotlin SDK labels Dec 15, 2023
@le-yams le-yams mentioned this issue Jan 12, 2024
Merged
4 tasks
@rhamzeh rhamzeh moved this to In progress in SDKs and Tooling Jan 22, 2024
@rhamzeh rhamzeh moved this from In progress to Ready in SDKs and Tooling Jan 23, 2024
@rhamzeh rhamzeh mentioned this issue Jan 23, 2024
Closed
5 tasks
@rhamzeh rhamzeh removed the status in SDKs and Tooling Feb 9, 2024
@rhamzeh rhamzeh moved this to Back-burner in SDKs and Tooling Feb 9, 2024
@rhamzeh rhamzeh moved this from Back-burner to Backlog in SDKs and Tooling Feb 9, 2024
@rhamzeh rhamzeh moved this from Backlog to Ready in SDKs and Tooling Jun 11, 2024
@danielloader
Copy link

@le-yams do you still have the other sdk examples around? I know it's been a while!

@rhamzeh rhamzeh mentioned this issue Aug 29, 2024
Open
4 tasks
@rhamzeh rhamzeh mentioned this issue Sep 28, 2024
Closed
1 task
@Divan009 Divan009 mentioned this issue Oct 1, 2024
Merged
4 tasks
@Divan009
Copy link
Contributor

Divan009 commented Oct 1, 2024

Hi I've opened the PR #421 for the Python SDK. Looking forward to a review

@stefan505
Copy link

The only way this can be properly solved is to use the well known endpoint of the IDP in question, to correctly discover endpoints for the issuer and token_endpoint, etc. The current implementation doesn't work for Microsoft Entra ID, nor Amazon Cognito for example, for different reasons.

Additionally, the reliance on audience for OIDC client credentials auth doesn't work for Amazon Cognito (as far as I can tell) as it doesn't appear to support audience and there is no aud claim for it in an access token.

alex-zyl pushed a commit to alex-zyl/sdk-generator that referenced this issue Mar 5, 2025
openfga#238 Support custom token issuer endpoints
5231b3f
@alex-zyl alex-zyl mentioned this issue Mar 5, 2025
Open
4 tasks
alex-zyl added a commit to alex-zyl/sdk-generator that referenced this issue Mar 5, 2025
@alex-zyl
openfga#238 Support custom token issuer endpoints
a203e06
@manuel-lang
Copy link
Contributor

manuel-lang commented Apr 2, 2025
edited
Loading

Unfortunately, also the Python SDK still seems to experience this issue, as the suffix is hardcoded in the OAuth client's _obtain_token function.

Edit: Should be fixed now.

@manuel-lang manuel-lang mentioned this issue Apr 2, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dotnet-sdk Affects the C#/DotNet SDK enhancement New feature or request go-sdk Affects the Go SDK good first issue Good for newcomers hacktoberfest java-sdk Affects the Java/Kotlin SDK js-sdk Affects the JavaScript SDK python-sdk Affects the Python SDK
Projects
SDKs and Tooling
Status: Ready
Milestone
No milestone
Development

No branches or pull requests
6 participants
@rhamzeh @danielloader @le-yams @stefan505 @manuel-lang @Divan009