Support OAuth2 JWT tokens for calls to subscribers

[VladimirIordanov]

For security reason we require a valid JWT token for all incoming requests to our microservices. According to OAuth2 flow all tokens have the expiration timestamp. So we need to generate the new token if the current is expired. For the moment Svix doesn't support a functionality for generating a token by provided secrets. It would be nice to have such option in Svix "Create Endpoint" API

[tasn]

Thanks @VladimirIordanov for suggesting this!

I'd love to hear more about how you envision this to work exactly! Is it something like:

1. Set the OAuth2 secret and authentication URL for an endpoint.
2. Svix will check the expiration of the OAuth2 token and if expires get a new one using the secret.
3. Svix uses the newly generated token to make API calls?

[tasn]

I think it all sounds reasonable. I just don't remember where the secret is stored. Is it in the URL? (so the URL is secret)
I really need to brush up my memory of OAuth2.

[VladimirIordanov]

I guess it depends on implementation of token endpoint.
For AWS and Azure it is passed in body:
client_id=_client_id_&scope=_scope_&client_secret=_secret_&grant_type=client_credentials

For Auth0 it is passed in such format:
audience=API_IDENTIFIER&grant_type=client_credentials&client_id=YOUR_CLIENT_ID&client_secret=YOUR_CLIENT_SECRET

[tasn]

Ahhh, sorry, I missed the body one.

OK, so body and url are both secretish. I guess the whole tokenEndpoint can be secret.

Could you please open a ticket and refer to this discussion? We would love to add it to the roadmap!

[VladimirIordanov]

Great! Created an issue #645.

[tasn]

Thanks a lot!