proposal: x/oauth2: allow making raw post requests to server #72028
Labels
LibraryProposal
Issues describing a requested change to the Go standard library or x/ libraries, but not to a tool
Proposal
Milestone
Comments
seankhliao
changed the title
gabyhelp
added
the
LibraryProposal
|
imo this makes it too easy to misuse and leak credentials against an unintended server. I think it should be: type Endpoint struct{
RevokeURL string
// ...
}
// Revoke a token using Endpoint.RevokeURL if available, otherwise return an error.
func (c *Config) Revoke(ctx context.Context, token *Token) errorPeople can add the revocation URLs for well known providers as they need them. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Proposal Details
Allow making raw HTTP POST requests to the authz server
This PR adds functionality to make token-style HTTP requests to an arbitrary endpoint of the authz server, instead of just for retrieving tokens.
Use case: the main motivation was to support for OAuth2 token revocation per RFC7009. The token revocation endpoint requires client credentials, and implementing it outside of this library requires effectively re-implementing the auth style auto-sensing & caching.
This seemed the most convenient way of leveraging the library for token revocation. If desired, I can also make this less general to only support token revocation, but a.o.t. this would require figuring out the revocation URLs for all supported providers, which is outside my current time budget.
The text was updated successfully, but these errors were encountered: