[Announcement] OAuth2.1 and OAuth3 drafts #2248
Comments
|
Thanks for the heads-up, You're right to assume |
|
The reasons for dropping the query parameter method of sending access tokens also apply to any sort of API keys, so while that's not necessarily an OAuth issue, it is still a good idea to disallow API keys in query strings. And yes, this is a reasonable summary of the points in the video 😄 |
It would leave the OAS unable to describe a large number of current APIs - best practices aside. |
|
Yep, OpenAPI is not here to tell people how to build an API, its just a language for letting them describe any piece of junk they might need to describe. I often take the approach of
If you take away stuff people need to do 1, you don't get to 2 or 3. |
|
Can we consider adding a flag to indicate that PKCE is used for Authorization flows? We're currently doing this out-of-band for some tooll, ie: swagger-api/swagger-ui#7438. |
handrews
added
security
security: auth
|
@handrews we may close this one , notice than accordingly to this page https://oauth.net/3/ oauth3 project has been abandonned toward to Oauth2.1 extensions... |
|
@LasneF do we support OAS 2.1 already? If not we can leave this open for that (and maybe I'll adjust the title). |
|
arfter reading carrefully the specification around Oauth 2.1 vs Oauth2 , 2.1 is mostly precision in the protocole , good practices , and depreciation of unsecured model . but till OAS need to support Oauth2.0 we would not remove them the only addition is PKCE ,that is an addition on top of Authorization Code Flow , it s may be a miss as it has been kind of particially integrated inside swaggerUI ... as the MR mentionnd |
|
@LasneF thanks for taking a deeper look! This is helpful. For the spec, we need to take into account the whole tooling landscape and not just what Swagger has done. If Swagger (or any other vendor or open source project) has defined an extension that is working for this, we should look at it as something to possibly incorporate. |
|
after reflexion it gives me to point : swaggerUI did it ... because there is a need for sure , it is important to know if the Identity provider support this Oauth2 flavor or not the solution is somehow partially implemented (swagger-api/swagger-ui#5361) , as not part of OAS the it raises the question that it is adding to OAS spec a kind of depeendency with Oauth2 spec , and each time Oauth2 invents yet another flavor it requires a change in the OAS spec i am wondering if it should not be better to just have a instead of a collection of flags , a map or an array of RFC 🙄 something for instance having Oauth2 and flavour supported [rfc7636 , etc ] notice that looking on OIDC , and FAPI it is same kind of issue list of RFC/capability keep growing listing just RFC support could be an option to not follow the updates of specs ... |
OAuth2.1 and OAuth3 drafts has been announced.
OAuth 2.1:
OAuth 3:
It seems to me that changes to specification should be applied:
implicitin OAuth Flows Objectpasswordin OAuth Flows Objectin: queryforapiKeytype of security scheme(this one not sure, maybeapiKeyisn't related to access tokens)Don't know whether I should subscribe @aaronpk to this thread, but at least he can confirm that I retyped text from his What's New With OAuth and OIDC? video presentation correctly.
The text was updated successfully, but these errors were encountered: