Jacob Champion <jacob.champ...@enterprisedb.com> wrote: > Peter asked me if there were plans to provide a "standard" validator > module, say as part of contrib. The tricky thing is that Bearer > validation is issuer-specific, and many providers give you an opaque > token that you're not supposed to introspect at all. > > We could use token introspection (RFC 7662) for online verification, > but last I looked at it, no one had actually implemented those > endpoints. For offline verification, I think the best we could do > would be to provide a generic JWT Profile (RFC 9068) validator, but > again I don't know if anyone is actually providing those token formats > in practice. I'm inclined to push that out into the future.
Have you considered sending the token for validation to the server, like this curl -X GET "https://www.googleapis.com/oauth2/v3/userinfo"; -H "Authorization: Bearer $TOKEN" and getting the userid (e.g. email address) from the response, as described in [1]? ISTM that this is what pgadmin4 does - in paricular, see the get_user_profile() function in web/pgadmin/authenticate/oauth2.py. [1] https://www.oauth.com/oauth2-servers/signing-in-with-google/verifying-the-user-info/ -- Antonin Houska Web: https://www.cybertec-postgresql.com
