Questions about authorization server spec #3744
Unanswered
sagikazarmark
asked this question in
Q&A
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello!
I'm currently working on a custom authorization server and I'm trying to cover the full protocol outlined in the docs to make sure it works with most clients.
However, I have a couple questions and I don't seem to find them in the docs.
1) What should the authorization server respond with when anonymous access is not allowed?
According to this documentation, quote:
Also, from the same documentation:
Based on these statements, it's unclear what the authorization server should return when anonymous access is not allowed at all:
401 Unauthorized
From a security perspective, it would make sense to not return any access token to the client if anonymous access is not allowed.
The reference implementation does not allow anonymous access (it explicitly requires credentials though) and returns
401 Unauthorized
.I would suggest some clarification in the documentation (unless I'm misunderstanding something and it's clearly there somewhere).
2) Should the OAuth2 allow anonymous access?
Similarly to the above question, it's unclear whether or how anonymous access should work with the OAuth2 endpoint.
The reference implementation (in accordance with OAuth2) requires credentials to be present whenever the
password
grant is used.However, the relevant documentation also says that clients should attempt authenticating with OAuth2 first (if at all supported by the client) (
POST /token
) and fall back to the "original" token endpoint (GET /token
) if OAuth2 returns 404.Following that logic, clients supporting the OAuth2 endpoint are unable to get an access token without authentication. Am I missing something?
3) How does a client obtain an access token using a refresh token without OAuth2?
According to this documentation a non-OAuth2 token endpoint is supposed to return a refresh token upon request (
offline_access=true
).However, the documentation doesn't say anything about how a client can use that refresh token to obtain an access token using the same (non-OAuth2) endpoint.
The reference implementation doesn't support that either.
One possible explanation is that a refresh token could be used with the OAuth2 endpoint, but as said above, the spec states that clients should go to that endpoint in the first place if they support it which means a client wouldn't go to the GET endpoint anyway.
4) How should the authorization server respond to invalid data?
The documentation explains how the authorization server should respond in case of an authentication failure, but it doesn't say anything about invalid data (eg. malformed scopes).
The reference implementation is inconsistent:
400 Bad Request
for an invalid offline_access parameterI realize that some of these questions are referring to client implementations which are out of scope for this project, however, the documentation says that the spec folder (which contains all the above referenced documentation pages) belong to this repository.
I'm happy to send PRs with clarifications to the referenced documentation pages if we figure out the answers to the above questions.
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions