Welcome to ts-oauth2-server Discussions! #127
Replies: 1 comment 3 replies
-
|
Hey, Thanks for the awesome package, when I reviewed the code I thought it was simple enough and reminded me of the the php oauth2-server package. Also, I am using this for one of my production products atm to implement a custom oauth2 provider in serverless. One feature that was a requirement for the project was to be able to login with OTP, so I wanted to develop a custom grant that would allow a two step otp flow, similar to password grant but with a followup confirmation call. The issue I had was. that I was not able to add a new grant to my runtime because there was some coupling between the AuthorizationServer class and the grants. In the end, to get my use case working I just copied the AuthorizationServer.ts file into my project directly, and added my custom grant. I noticed that in the latest version, you have the following api to add grants: const authorizationServer = new AuthorizationServer(
clientRepository,
accessTokenRepository,
scopeRepository,
new JwtService("secret-key"),
);
// Enable as many or as few grants as you'd like.
authorizationServer.enableGrantTypes(
"client_credentials",
"refresh_token",
);
// with custom token TTL
authorizationServer.enableGrantTypes(
["client_credentials", new DateInterval("1d")],
["refresh_token", new DateInterval("1d")],
);My suggestion is that the AuthorizationServer class should not know about any specifc grant, and it should just know about the AbstractGrant interface, and then allow the user of the library to add the grants they are interested in, for example: const authorizationServer = new AuthorizationServer(
clientRepository,
accessTokenRepository,
scopeRepository,
new JwtService("secret-key"),
);
authorizationServer.addGrant(new ClientCredentialsGrant(...), new DateInterval("1d"))
authorizationServer.addGrant(new RefreshTokenGrant(...), new DateInterval("7d"))
authorizationServer.addGrant(new CustomOTPGrant(...), new DateInterval("1d"))An similar example if this api style can be found here: https://oauth2.thephpleague.com/authorization-server/client-credentials-grant/ If you adopted this apporoach, I could revert to directly using your framework, with the built int grants while being able to add my own grants. That's my suggest :) |
Beta Was this translation helpful? Give feedback.
-
|
What if we just allowed any arbitrary abstract grant to be initialized diff --git a/src/authorization_server.ts b/src/authorization_server.ts
index 0a394b7..19e3d86 100644
--- a/src/authorization_server.ts
+++ b/src/authorization_server.ts
@@ -17,6 +17,7 @@ import { DateInterval } from "./utils/date_interval.js";
import { JwtInterface, JwtService } from "./utils/jwt.js";
import { DEFAULT_AUTHORIZATION_SERVER_OPTIONS } from "./options.js";
import { ProcessTokenExchangeFn, TokenExchangeGrant } from "./grants/token_exchange.grant.js";
+import { AbstractGrant } from "./grants/abstract/abstract.grant.js";
/**
* @see https://tsoauth2server.com/configuration/
@@ -45,6 +46,9 @@ export type EnableableGrants =
| {
grant: "urn:ietf:params:oauth:grant-type:token-exchange";
processTokenExchange: ProcessTokenExchangeFn;
+ }
+ | {
+ grant: AbstractGrant;
};
export type EnableGrant = EnableableGrants | [EnableableGrants, DateInterval];
@@ -135,6 +139,8 @@ export class AuthorizationServer {
this.jwt,
this.options,
);
+ } else if (toEnable.grant instanceof AbstractGrant) {
+ grant = toEnable.grant;
}
if (!grant) {Then you should be able to enable it like any other grant. const authorizationServer = new AuthorizationServer(
clientRepository,
accessTokenRepository,
scopeRepository,
new JwtService("secret-key"),
);
const customGrant = new CustomOTPGrant(...);
authorizationServer.enableGrantTypes(
["client_credentials", new DateInterval("1d")],
[customGrant, new DateInterval("1d")],
);What are your thoughts on this idea? |
Beta Was this translation helpful? Give feedback.
-
|
Yea, this would work also, but feels like we are not utilising the interfaces, as the AuthorizationService knows about specific grant types rather than just working with AbstractGrant interface, for me, the AuthorizationServer doesn't need to know about what specific grant is. Whatever you choose it should allow me to go back to using your library directly, which will be great for me. |
Beta Was this translation helpful? Give feedback.
-
|
I definitely get where you're coming from, and for the most part agree with what you are saying, but at this point I just don't think I want to introduce that much of a change of the API. If I was starting over, I would build the API to be more similar to what you are describing. I think at this point, the only real "major" version changes I want to make are for super minor api changes and node version support. I have #129 tracking this work |
Beta Was this translation helpful? Give feedback.
-
👋 Welcome!
We’re using Discussions as a place to connect with other members of our community. We hope that you:
build together 💪.
To get started, comment below with an introduction of yourself and tell us about what you do with this community.
Beta Was this translation helpful? Give feedback.
All reactions