-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oidc Access Token Provider #771
Comments
Thanks for starting the conversation here. |
Right, standing an external package's always viable, still I think that it doesn't, easily, enable all of the scenarios. In addition it might cause issues on the user's classpath, I love how Kiota separates the concerns and you end up with very minimal dependencies; providing an external library locks the user to specific core libraries or they are going to end up with multiple HTTP client, serialization libraries etc. |
Sorry for the delay, I have not forgotten about this, but I wanted to try out a different approach to see how it plays out. The consideration I have made is:
Hence we can directly leverage the specific HTTP Client, built-in, authentication implementation. I have experimented with this approach and the Vert.X client, here you can see how it looks like from a user's perspective. Thoughts? |
Just to state it explicitly, my favorite option would be to have a Kiota Auth layer that can be reused across implementations. |
Thanks for providing more context here.
In my experience, while "easy" and already existing, authentication providers that are tied to the http client often lack features:
All those features can be provided by the underlying authentication library we'd be using to implement the different authentication scenarios (like a generic OIDC lib for java for example), or in a generic way through a proxy design pattern in kiota's abstractions. But I agree that building authentication providers across languages is a big task, on the other hand, if we don't do it, it'll add friction to people using kiota clients to talk to their favorite API. I think a first step would be to:
From there we should see where customers demand takes us: do they want more "first party" authentication providers for additional scenarios (basic, API key, cookie, NTLM/kerberos, OIDC, certificate exchange, etc...), an eco-system of third party providers, the client to be somehow already generated with authentication setup for them, something else? What do you think? |
Correct, I agree, but, at the same time, the current API is limiting the opportunity to write generic
I'm interested in hearing more about this!
I agree that we need some more documentation on this aspect, but I don't think that we should "officially" state that people can mix and match options for authentication. I'm all in for collecting community, user and customer feedback on this aspect, but I think that we have to make an opinionated call here and decide either:
Taking any in-between position is likely going to cause fragmentation in the ecosystem and overall confusion, at least in my opinion. |
Implementing token caching generically for all oauth providers would only be a matter of re-implementing AuthenticationProvider, while accepting an AuthenticationProvider as a constructor argument, as well as a couple of settings (how to build the cache key from the request information with things like path/query parameters/headers) . This implementation would then:
(there are a couple of additional aspects with www-authenticate headers, token valid periods, etc... but this is the gist of it). I understand the challenge, in terms of fragmentation of the ecosystem. Getting the funding to build a bunch of authentication providers on our end will be challenging at best. This is why I wanted to rely on the community and partners to bridge the gaps here. But it we don't provide:
It's not going to happen. looping in @sebastienlevert for visibility |
I have now implemented quite a few times
OidcTokenAccessProvider
, for example here.Despite it being almost trivial in the end user codebase it turns out that is difficult to refactor the mechanism up to this repository.
More specifically the challenges are:
HttpClient
(orRequestAdapter
but I think there are a few gaps later on) - possibly we should be able to decide to use the same or a different one from the "normal" API callsI'm here looking for guidance on how we can approach the problem.
I have attempted at first to add an
initialize
method toAccessTokenProvider
and toAuthenticationProvider
so that it can be eventually triggered by theRequestAdapter
implementation.I started having too many things to pull in and thought that it was not a great design ...
The text was updated successfully, but these errors were encountered: