Details
-
Task
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
Description
We presently have support for OAuth2 within our SASL authentication mechanisms to enable tools such as the CLI to make use of an authorization server to obtain an access token.
We should review what else is presently available for OAuth2 for applications within the application server and what we should be doing, especially in the context of confidential clients.
Our implementation of a Bearer HTTP authentication mechanism does challenge but I don't believe all do so to avoid round trips, additionally additional information may be required such as which authorization server to contact and names of relevant scopes etc..
Can anything be done to automate the redirection to the client if required?
How about storage of tokens, either access or refresh tokens? What do they relate to?
For a client credentials grant should the tokens be stored in possibly the credential store? But maybe they relate to a single application only.
For the resource owner grants do they live just within a session? Could they be associated with the current SecurityIdentity for future use.
Overall this task is to understand where we are and where we could go.