Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Authority to ClientCredentials options #102

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

Add Authority to ClientCredentials options #102

wants to merge 2 commits into from

Conversation

josephdecock
Copy link
Member

Adds a new authority option. If it is set, we use it to retrieve the discovery document, and use that to configure the token endpoint. Because this is an async operation, we have a new abstraction for retrieval of the token endpoint

Closes #28

@josephdecock
Add Authority to ClientCredentials options
cc00081 
If authority is set, we use it to retrieve the discovery document, and use that to configure the token endpoint.

Because this is an async operation, we have a new abstraction for retrieval of the token endpoint
@josephdecock
Update client credentials samples to use authority
6584491
@josephdecock josephdecock added this to the 3.0.0 milestone May 3, 2024
josephdecock
josephdecock commented May 3, 2024
View reviewed changes
samples/WorkerDI/ClientAssertionService.cs
var descriptor = new SecurityTokenDescriptor
{
Issuer = options.ClientId,
Audience = options.TokenEndpoint,
Audience = await _tokenEndpoint.GetAsync(options),
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For most usage, you just set the authority and let discovery happen in the background. But sometimes you do need to know what the token endpoint is - for example, here when we make a client assertion, we need to use the token endpoint as the audience. This is slightly more complex than just reading the option as we used to - notably this uses a new service and is an async operation. I don't think we can really avoid this though, because invoking the discovery endpoint *is async. At one point, we talked about doing this in a PostConfigureOptions, but that doesn't support asynchronicity.

src/Duende.AccessTokenManagement/TokenEndpointRetriever.cs
{
if (!_caches.ContainsKey(authority))
{
_caches[authority] = new DiscoveryCache(authority);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should support DiscoveryPolicy and Timeout here.

@josephdecock josephdecock marked this pull request as draft May 3, 2024 20:55
@brockallen
Copy link
Member

Hmm.... ok, so do you think this is too complicated or problematic to pursue? IOW, is this worth all the new goo?

@josephdecock
Copy link
Member Author

Hmm.... ok, so do you think this is too complicated or problematic to pursue? IOW, is this worth all the new goo?

I'm unsure ... frankly was hoping for strong reactions to this PR 😆

It does feel kind of unnecessary, especially if I add discovery policy and cache timeout.

@leastprivilege, @AndersAbel, what do you guys think?

@leastprivilege
Copy link
Member

I think it is not the concern of this library to do discovery...

@josephdecock
Copy link
Member Author

Ok, then let's close this and #28.

@leastprivilege
Copy link
Member

I think it is not the concern of this library to do discovery...

At least not for this round of updates...

@josephdecock
Copy link
Member Author

Okay, I'll leave this as a draft PR for the future

@brockallen brockallen modified the milestones: 3.0.0, Future May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@brockallen brockallen Awaiting requested review from brockallen

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Future
Development

Successfully merging this pull request may close these issues.

Consider allowing an Authority property on ClientCredentialsClient
3 participants
@josephdecock @brockallen @leastprivilege