Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RFC8707 - Possible Missing Multiple Resources handling for Code Flow Authorization Request

See original GitHub issue

Hello,

My question might be totally naive, but here I go: We have an SSO from which we’re gettings Access/Refresh/Id token in order to later call 2 Services. We’re trying to add the resource information as part of the AuthCode Grant during signing in order to generate dedicated token(s ?) to hit both ApiOne and ApiTwo. (see image above from the RFC) RFC 8707 - Resource Indicators for OAuth 2.0

(On refresh the same will apply by sending the last valid refresh token + the appropriate resources)

My question being … how can this be achieved with the library today for both SignIn, Refresh, etc … From the OidcClient.ts resource seems to be a simple string here: https://github.com/authts/oidc-client-ts/blob/0e6bfc22ba2181bf52934b1666ac61d9a0a92069/src/OidcClient.ts#L37

and it seems to be forwarded https://github.com/authts/oidc-client-ts/blob/0e6bfc22ba2181bf52934b1666ac61d9a0a92069/src/OidcClient.ts#L111

And I cannot find the could mapping that to the &resource=

Issue Analytics

State:
Created 10 months ago
Comments:9 (9 by maintainers)

Top GitHub Comments

1reaction

tebecocommented, Dec 8, 2022

thx @pamapa the assigned dev here was not able to test the change, I notice that I forgot to ping you back last time

Thx for having merging it in the meanwhile 😉

I’ll try to keep you posted anyway later on

1reaction

pamapacommented, Nov 18, 2022

@tebeco About invalid resources: I would say shit in shit out: The resource is coming directly from the developer.

I think its better to just check for Array.isArray(resource):

// https://datatracker.ietf.org/doc/html/rfc8707
const resources = Array.isArray(resource) ? resource : [resource]
resources
  .forEach(r => parsedUrl.searchParams.append("resource", r));

Top Results From Across the Web

RFC 8707: Resource Indicators for OAuth 2.0

Furthermore, an authorization server may be unwilling or unable to fulfill a token request with multiple resources. Whenever feasible, the resource parameter ...

Resource Indicators for OAuth 2.0 RFC 8707 - IETF Datatracker

Resource Indicators for OAuth 2.0 (RFC 8707, February 2020)

Authorize endpoint - Amazon Cognito - AWS Documentation

The callback URL that you want to end up at. The OAuth 2.0 scopes that you want to request in your user's access...

OAuth 2.0 authorization code flow in Azure Active Directory B2C

Replace {tenant} with the name of your Azure AD B2C tenant. Replace 90c0fe63-bcf2-44d5-8fb7-b8bbc0b29dc6 with the app ID of an application you' ...

Financial-grade API (FAPI), explained by an implementer

When the client application accesses an API of the target resource server ... OIDC Section 3.1.2.1 (Authorization Code Flow) states that nonce is...