-
Notifications
You must be signed in to change notification settings - Fork 393
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow the use of Pushed Authentication Requests when supported by the provider #409
Comments
Do you have a sense of what API additions would be needed from go-oidc to support this? Briefly looking at the spec, it seems like this might be more suitable as a golang.org/x/oauth2 feature? |
Thank you for your quick response! I must admit I had not given the actual implementation much thought before posting the issue, but you are right, after some more digging it seems that most of the implementation belongs in golang.org/x/oauth2. I think though that we would like to extract the endpoint URL from the pushed_authorization_request_endpoint in the auth server metadata (here Line 230 in 6d6be43
Line 283 in 6d6be43
|
Thanks for the reply! Any additional metadata endpoints can be retrieved through https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#Provider.Claims (We should really have a better name for that method) |
I would like to be able to use PAR with go-oidc, but sadly it does not seem to support that. See https://datatracker.ietf.org/doc/html/rfc9126 and https://medium.com/oauth-2/pushed-authorization-requests-draft-adopted-by-oauth-working-group-a1060007150f
I am willing to take a stab at implementing support for this, unless someone is already working on it.
The text was updated successfully, but these errors were encountered: