proposal for client context profiles #316
Replies: 1 comment 5 replies
-
|
The difficulty I see with this approach is that we’re starting to mix function options with the client context, which only had one purpose so far. Why would we have I see an argument where we treat |
Beta Was this translation helpful? Give feedback.
-
|
Maybe %% ClientContext looks like:
%% #oidcc_client_context{
%% provider_configuration = #oidcc_provider_configuration{},
%%. ...
%% client_opts = #oidcc_client_context_opts{
%% require_pkce = true,
%% only_trusted_audiences = true,
%% only_requested_scopes = true,
%% ...
%% }
%% }
{ok, #oidcc_token{}} = oidcc_token:retrieve_token(AuthCode, ClientContext, #{trusted_audiences => [<<"other-client">>]} |
Beta Was this translation helpful? Give feedback.
-
|
If we go down this route, I would probably avoid having two options controlling the same thing and instead just merge client context options and the function options. For example for
What I like about your approach with the
With this proposal we're kind of moving back towards that direction and I'm asking myself if we're using the correct abstraction or if we should provide a client context worker variant where the user only needs to specify some name / pid to reference the context. |
Beta Was this translation helpful? Give feedback.
-
|
I think I see what you're saying. Something like this? {ok, #oidcc_token{}} = oidcc_token:retrieve_token(AuthCode, ClientContext, #{profiles => [fapi2]})where that's translated internally to: {ok, #oidcc_token{}} = oidcc_token:retrieve_token(AuthCode, ClientContext, #{require_pkce => true, trusted_audiences => [], ...}) |
Beta Was this translation helpful? Give feedback.
-
|
@paulswartz Yes, exactly. |
Beta Was this translation helpful? Give feedback.
-
|
Implemented in #317 |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Here's what I was thinking:
External API
{ok, #oidcc_client_context{}} = oidcc_client_context:from_configuration_worker( Worker, <<"client_id">>, <<"client_secret">>, #{ profiles => [fapi2] }).Internal interface
oidcc_client_contextrecord,client_optsprofilesis key mapped byoidcc_client_contextinto combination ofclient_opts(such astrusted_audiencesas discussed in feat: Demonstrating Proof of Posession (DPoP) #315 ) and updates to theprovider_configuration(enforcing S256 PKCE, removing less-secure signing/encryption algorithms)client_optscan also be provided as opts infrom_configuration_worker/4.oidcc_*modules look at theclient_optsrather than directly at profile keys. This allows profiles to share options, without needing the internals to be updated for each new profile.Beta Was this translation helpful? Give feedback.
All reactions