Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add OBO middleware [Feature request]

See original GitHub issue

Describe the feature you’d like It would be nice to have the framework allow more than one API scope. The case where this is needed, is if you have multiple business applications that need access to the same API. (For example like how both Teams and Outlook has access to your calendar). Features like this is supported in .NET frameworks by making a list of valid isuers and audiences, instead of enforcing just one (see this StackOverflow example for how the .NET AddJwtBearer middleware works)

The “correct way” of dealing with these cases is to add middleware implementing the OBO (“On-Behalf-Of”) flow. Usually this is handled by the client, but for third party applications and/or plugins, we cannot initiate OBO client-side.

Additional context If I supply an access token with an audience that I’ve added to the my application’s knownClientApplications list, the token validation should pass.

Issue Analytics

State:
Created a year ago
Comments:7 (5 by maintainers)

Top GitHub Comments

1reaction

JonasKscommented, Sep 13, 2022

https://github.com/mpdavis/python-jose/issues/302

0reactions

JonasKscommented, Sep 13, 2022

Who will be the issuer of these tokens? Your tenant or a generic Microsoft tenant (making it multi-tenant)? As far as I can see, the only parameter that we need to support a list for is the audience.

Since we don’t actually manually pass in audience, I think this could be an audience: list[str] | None = None parameter. This way we don’t have to change any documentation or have any breaking changes, but one could manually pass in audience if one wants to.
In other words, this should be audience or client_id if token_version == 2 else f'api://{client_id}'… Unfortunately, I checked python-jose, and it does not support a list of audiences. In other words, we’d have to do audience verification manually, or (preferabily) try to implement this in python-jose.

Top Results From Across the Web

Issues · Intility/fastapi-azure-auth - GitHub

Issues list ; Scopes missing in /docs at each endpoint padlock waiting Waiting for something ; Add OBO middleware [Feature request] enhancement New...

Microsoft identity platform and OAuth 2.0 On-Behalf-Of flow

This article describes how to use HTTP messages to implement service to service authentication using the OAuth2.0 On-Behalf-Of flow.

OBOSS Middleware Solution_RFI v2.6.pdf - GovTribe

The purpose of this RFI is to accomplish market research regarding middleware technical features and functions pursuant to Federal ...

Top API Features to Extend HubSpot Capabilities, Part 4

When a user views one of these object records, HubSpot will send an outbound request to an endpoint that you specify. The middleware...

Oracle Access Management 11g Frequently Asked Questions

Support for Adaptive Access features ... Service Request (SR) with Oracle Support at ... interoperability between Oracle Fusion Middleware 11g /.