Add OAuth Refresh token when openid scope is used
#5497
Conversation
OSM `access_token` don't have expiry but `id_token` which is generated when `openid` scope is enabled has expiry of 2 minutes. Making `id_token` also never expiry seems to me more problematic than no expiry for `access_token` because `id_token` can not be revoked, hence it is important to have short expiry. But with short expiry it makes `id_token` not very useful and it would complicate authentication against 3rd party services. Instead I think it is better to enable refresh token on OSM when `openid` scope is enabled for app which allows apps to refresh `id_token` by calling `/oauth/token` using refresh token. This way app can refresh `id_token` at any time and send it to 3rd party service which can authenticate user.
|
I'm wondering why you want to send id_tokens to a resource server in the first place. That's not really their intended use: https://oauth.net/id-tokens-vs-access-tokens/ |
|
I did some more investigation into this, and I agree using While investigating 3rd option of exchanging |
Description
OSM
access_tokendon't have expiry butid_tokenwhich is generated whenopenidscope is enabled has expiry of 2 minutes. Makingid_tokento also never expiry seems to me more problematic than no expiry foraccess_tokenbecauseid_tokencan not be revoked, hence it is important to have short expiry. But with short expiry it makesid_tokennot very useful and it would complicate authentication against 3rd party services. Instead I think it is better to enable refresh token on OSM whenopenidscope is enabled for app which allows apps to refreshid_tokenby calling/oauth/tokenusing refresh token. This way app can refreshid_tokenat any time and send it to 3rd party service which can authenticate user.How has this been tested?
Added unit tests, and manually on my machine, also verified that calling
/oauth/tokenwith refresh token works and produces freshid_token.More details
My main goal on how to use this is following. Mobile app such as EveryDoor, StreetComplete... Can add
openidto their OAuth Application scopes. That will result in gettingid_tokenproperty in JSON of osm.org/oauth/token that can be passed to Panoramax asAuthorization Bearer jwt_token_that_osm.org/oauth/token_returned_in_id_token_fieldwhen uploading photos. This will allow Panoramax API to use https://www.openstreetmap.org/oauth2/discovery/keys which has public key stored that can be used to verify theid_tokenand authenticate user. So from user perspective no additional logins or anything else needs to be done against Panoramax service. Another nice thing about sending OpenConnect ID token is that even if Panoramax service is compromised, this token is only useful to confirm this user did action, it does not give Panoramax any authorization to do anything against osm.org API.With this PR, mobile app will be able to fetch fresh
id_tokenat any time and send it to Panoramax service which can authenticate user as long as whole operation takes less than 2 minutes which should be plenty.Without this PR there would be 3 options IMO:
id_tokenaccess_tokenfrom Panoramax, which would complicate work for Mobile app and Panoramax, since both would need to maintain tokens between them. Biggest problem with this is unnecessary connections to Panoramax, just in case user decides to upload something in future, which might never happen.