Best way to replicate a refresh_token flow using Fosite.

Question

Best way to replicate a refresh_token flow using Fosite.

tn185075 opened this issue 2 years ago · 5 comments

tn185075 commented 2 years ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
This issue affects my Ory Network project.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Describe your problem

For refresh_token flow,

We add offline/offline_access to the scope, which results in an additional field in our response adding refresh_token.
We later use this result to actually refresh the access token with refresh_token grant to the token endpoint.

I wanted to do something similar with a different scope and grant_type. What's the best way to go about it?

Describe your ideal solution

Ideal solution to extend fosite without actually changing the original codebase, but not even touching the real endpoints. But to compose the provider to handle as if it's supported by base fosite.

Workarounds or alternatives

A new factory handling the grant and populating token response when a scope is requested?

Version

latest

Additional Context

No response

Answer 1 · 2022-12-22T23:51:00.000Z

I believe this is probably already supported and these are the only necessary changes:

Make sure this returns the scopes you wish to be allowed to grant refresh tokens: https://github.com/ory/fosite/blob/v0.44.0/config.go#L61-L65
2, Make sure this returns the refresh_token grant type: https://github.com/ory/fosite/blob/v0.44.0/client.go#L21-L22

Answer 2 · 2022-12-23T03:57:34.000Z

I believe this is probably already supported and these are the only necessary changes:

Make sure this returns the scopes you wish to be allowed to grant refresh tokens: https://github.com/ory/fosite/blob/v0.44.0/config.go#L61-L65
2, Make sure this returns the refresh_token grant type: https://github.com/ory/fosite/blob/v0.44.0/client.go#L21-L22

Aah, I don't want to relate with refresh token flow. I never need a refresh_token. I need a new flow similar to refresh_token. When I add say, james as scope, I need james_token to be added to response. I should be able to use james_token as a grant type to hit the token endpoint and get access token back again.

Implement a grant factory which can do this? How do I add something to accessResponse based on the scope. I don't want to tweak my token endpoint nor have my own fosite. Want to make use of its extensibility.

Answer 3 · 2022-12-23T04:27:54.000Z

Oh makes sense now! Dur. Yeah there's probably a way to do it via creating your own handlers. I am not familiar enough to help but I'll keep this in mind if it becomes obvious (going to be making a PR in hydra soon).

Answer 4 · 2022-12-23T06:22:30.000Z

@aeneasr Any comments/thoughts/suggestions?

Answer 5 · 2022-12-24T10:55:09.000Z

Was able to do it using factories and adding them to compose while I created my provider and implemented token handler for each of them.

This supposedly looks the fosite way 😀 !