-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement JWT Bearer grant #159
base: main
Are you sure you want to change the base?
Conversation
I really appreciate this contribution, but... I'm running into the same issue with this as I have with folks asking for OpenID Connect related features. There's no reasonable way to add this without being in conflict with some of the stated goals of this project, being:
It's hard to do given that some JWT dependency has to be pulled in. I really wish browsers had some JWT thing built in, this would make this a lot easier. So really the question then is: do I change the goals of the project, do OpenID Connect, add JWT? I don't think I'm ready to really decide this. Maybe next year? (got a baby on the way, seems to big right now lol). So instead maybe this contribution could be it's own package as a sort of add-on? I could link to it if you're willing to maintain it? On the practical side, the |
efa5758
to
950df5b
Compare
Hello @evert, Thank you for the fast reply! No worries at all, I understand and appreciate the goal of keeping the library simple and lightweight. I simplified my implementation so that it's possible to retrieve an access token using the JWT Bearer grant, but the JWT needs to be generated externally. What do you think ? |
Hey! Apologies for taking a while with this again. I spent a bit of time reading: But to be perfectly frank, I'm still a little lost with both. It's a usecase I don't fully understand yet, and I don't have myself. It's hard for me to integrate a feature I don't have a strong grasp on, because I lack the confidence to build an interface I feel strongly about, nor do I have obvious ways to test this. Long term, I think I also decided I'm both interested in adopting this, AND finding a lightweight JWT solution and bring in more OIDC features, but all of has to wait till have a window of free time, which I don't see happening for at least 4-5 months, due to some pretty major personal events happening in my life. So for now I have to put this in the can, until I can bring this feature in with the confidence I need. I understand this is probably not the result you're hoping for. A good PR is one of the greatest honors for a project, so apologize I can't do more right now. |
Thank you for looking into, and no worries, I was able to work around this for my project. FYI, I faced the issue while using Google APIs with a service account. When you create a service account in GCP, what you get is a JSON file containing the credentials of this service account. This JSON file contains a private key that is needed to sign a JWT (which you then exchange for an access token, using the token endpoint). Most people do not have this need because they use Google's SDK to use their API, but this is actually what happens under the hood. In my project I need to support connections to any 3rd-party API and not just Google (hence why I do not use their SDK). More info here: https://developers.google.com/identity/protocols/oauth2/service-account#httprest |
This is a work-in-progress to implement the JWT Bearer grant type (which is needed in server-to-server setups, for example with Google APIs).
See: https://developers.google.com/identity/protocols/oauth2/service-account#httprest
This implementation adds the
jsonwebtoken
package as a dependency, which is probably not okay... Maybe the JWT could be generated outside of the library?