Implement RFC9101 JWT secured authentication requests (JAR)#749
Merged
azmeuk merged 6 commits intoauthlib:mainfrom May 18, 2025
Merged
Implement RFC9101 JWT secured authentication requests (JAR)#749azmeuk merged 6 commits intoauthlib:mainfrom
azmeuk merged 6 commits intoauthlib:mainfrom
Conversation
azmeuk
added
feature request
role:authorization_server
Member
|
There are many conflicts. |
Member
Author
|
They are fixed! |
azmeuk
force-pushed
the
724-jar
branch
5 times, most recently
from
9b6da3d to
b74876f
Compare
Member
|
Since this PR will be included in |
Member
Author
|
Ok I will update the deprecations then. |
This would avoid calling 'get_authorization_grant' a second time (after it being called a first time in 'get_consent_grant'). This would help avoid making the same network request twice when RFC9101 'request_uri' parameter is used.
- Introduce a 'Hookable' class and a 'hooked' parameter. - RFC9207 'iss' is an 'AuthorizationServer' extension instead of a 'Grant' extension.
Member
Author
|
@lepture this is fixed |
lepture
approved these changes
May 17, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request brings a few refactoring and the implementation for RFC 9101
The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR).
To summarize, RFC9101 is about passing the authorization request payload in a JWT, called request object, instead of passing it in the request body or query string. The request object is passed in a
requestparameter or hosted at the client and the URI to the request object is passed in arequest_uriparameter.To achieve this I had to perform some refactoring, and deprecate some usage with planned removal for Authlib 1.7 (so we can release 1.6 including this PR).
execute_hookmethod is replaced by ahookeddecorator. This helps catching a method result every time when severalreturncalls are in the method. There is no deprecation for hooks as I considered it is Authlib private API.AuthorizationServerextension mechanism is introduced, and the RFC9207IssueParameteris now an authorization server extension instead of a grant extension. UsingIssueParameteras a grant extension is tolerated until 1.7.create_authorization_responsetakes agrantparameter. This is to avoid callingget_consent_granttwice, which can be costly when a network request is performed to reach therequest_uriendpoint. The parameter is optional at the moment but will become mandatory with 1.7.OAuth2Requesthas been split in anotherOAuth2Payloadclass. This help separate the request object and the request payload, so the rfc9101 extension can overwrite the request payload with the request object content. Properties likerequest.dataare deprecated in favor ofrequest.payload.dataand will be removed in 1.7.Fixes #723