You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+50-2Lines changed: 50 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,6 +20,8 @@ Vapor OAuth is an OAuth2 Provider Library written for Vapor. You can integrate t
20
20
21
21
It follows both [RFC 6749](https://tools.ietf.org/html/rfc6749) and [RFC6750](https://tools.ietf.org/html/rfc6749) and there is an extensive test suite to make sure it adheres to the specification.
22
22
23
+
It also implements the [RFC 7662](https://tools.ietf.org/html/rfc7662) specification for Token Introspection, which is useful for microservices with a shared, central authorization server.
24
+
23
25
Vapor OAuth supports the standard grant types:
24
26
25
27
* Authorization Code
@@ -45,13 +47,13 @@ dependencies: [
45
47
Next import the library into where you set up your `Droplet`:
To integrate the library, you need to set up a number of things, which implement the various protocols required:
@@ -62,6 +64,7 @@ To integrate the library, you need to set up a number of things, which implement
62
64
*`AuthorizeHandler` - this is responsible for allowing users to allow/deny authorization requests. See below for more details. If you do not want to support this grant type you can exclude this parameter and use the default implementation
63
65
*`UserManager` - this is responsible for authenticating and getting users for the Password Credentials flow. If you do not want to support this flow, you can exclude this parameter and use the default implementation.
64
66
*`validScopes` - this is an optional array of scopes that you wish to support in your system.
67
+
*`ResourceServerRetriever` - this is only required if using the Token Introspection Endpoint and is what is used to authenticate resource servers trying to access the endpoint
65
68
66
69
Note that there are a number of default implementations for the different required protocols for Fluent in the [Vapor OAuth Fluent package](https://github.com/brokenhandsio/vapor-oauth-fluent).
67
70
@@ -79,6 +82,10 @@ This will throw a 401 error if the token is not valid or does not contain the `p
79
82
80
83
You can also get the user with `try request.oauth.user()`.
81
84
85
+
### Protecting Resource Servers With Remote Auth Server
86
+
87
+
If you have resource servers that are not the same server as the OAuth server that you wish to protect using the Token Introspection Endpoint, things are slightly different. See the [Token Introspection](#token-introspection) section for more information.
88
+
82
89
# Grant Types
83
90
84
91
## Authorization Code Grant
@@ -141,3 +148,44 @@ Note that if you are using the password flow, as per [the specification](https:/
141
148
## Client Credentials Grant
142
149
143
150
Client Credentials is a userless flow and is designed for servers accessing other servers without the need for a user. Access is granted based upon the authentication of the client requesting access.
151
+
152
+
## Token Introspection
153
+
154
+
If running a microservices architecture it is useful to have a single server that handles authorization, which all the other resource servers query. To do this, you can use the Token Introspection Endpoint extension. In Vapor OAuth, this adds an endpoint you can post tokens tokens at `/oauth/token_info`.
155
+
156
+
You can send a POST request to this endpoint with a single parameter, `token`, which contains the OAuth token you want to check. If it is valid and active, then it will return a JSON payload, that looks similar to:
157
+
158
+
```json
159
+
{
160
+
"active": true,
161
+
"client_id": "ABDED0123456",
162
+
"scope": "email profile",
163
+
"exp": 1503445858,
164
+
"user_id": "12345678",
165
+
"username": "hansolo",
166
+
"email_address": "hansolo@therebelalliance.com"
167
+
}
168
+
```
169
+
170
+
If the token has expired or does not exist then it will simply return:
171
+
172
+
```json
173
+
{
174
+
"active": false
175
+
}
176
+
```
177
+
178
+
This endpoint is protected using HTTP Basic Authentication so you need to send an `Authorization: Basic abc` header with the request. This will check the `ResourceServerRetriever` for the username and password sent.
179
+
180
+
**Note:** as per [the spec](https://tools.ietf.org/html/rfc7662#section-4) - the token introspection endpoint MUST be protected by HTTPS - this means the server must be behind a TLS certificate (commonly known as SSL). Vapor OAuth leaves this up to the integrating library to implement.
181
+
182
+
### Protecting Endpoints
183
+
184
+
To protect resources on other servers with OAuth using the Token Introspection endpoint, you either need to use the `OAuth2TokenIntrospectionMiddleware` on your routes that you want to protect, or you need to manually set up the `Helper` object (the middleware does this for you). Both the middleware and helper setup require:
185
+
186
+
*`tokenIntrospectionEndpoint` - the endpoint where the token can be validated
187
+
*`client` - the `Droplet`'s client to send the token validation request with
188
+
*`resourceServerUsername` - the username of the resource server
189
+
*`resourceServerPassword` - the password of the resource server
190
+
191
+
Once either of these has been set up, you can then call `request.oauth.user()` or `request.oauth.assertScopes()` like normal.
0 commit comments