We have some documentation about using IBM Watson: https://github.com/sahat/hackathon-starter#ibm-watson

It would be great if we have one or more working API examples using Watson or ML/AI APIs that are provided by other companies such as Microsoft or AWS.

It looks like most of the advice from the OWASP REST Cheat Sheet is discussed in this API-Security-Checklist, but OWASP talks about the importance of CORS, which is not mentioned at all in this API-Security-Checklist. Probably good to make mention. Also, the OWASP REST Cheat Sheet provides a bit more guidance regarding validation that might be good to incorporate.

https://github.com/OWASP/Che

Is your feature request related to a problem? Please describe.

When querying the Clients/Consent Sessions using pagination, ORY Hydra will only return results with some links, but not the total count of the items, which is useful to display in the frontend, you know, showing the total pages or something.

Describe the solution you'd like

Add the total_count parameter into Hea

#4353

So I'm extremely confused about what I should use when instantiating AuthorizationServer object.

So the documentation directs people to generate public and private keys and then literally says:

The authorization server also requires the public key.

But then this commit removes the public key from the AuthorizationServer code:
[76

The links on the FAQ page in the wiki still point to the old wiki, which seems to be deprecated.

问题描述

前端项目登陆的时候，报错500。

原因分析

是因为feign获取user的时候，超时，然后走的是降级的代码。

本质就是因为feign请求的时候，超时。

在这个项目里，feign请求超时。

而且，自己写的简单demo （ https://gitee.com/52itstyle/Spring-Cloud-Alibaba.git )， 专门用于测试nacos和feign，也是超时。一模一样的错误。

所以，应该不是这个项目的原因，而是我的电脑(mac)，只要是nacos和feign，都是超时。

2020-02-24 20:58:21.938 ERROR [authorization-server,b6ed6d23d9efe8e5,b6ed6d23d9efe8e5,true] 20465 --- [nio-8000-exec-1] 

Dear Guillaume,
There is a tiny error in your documentation here: http://gmvault.org/in_depth.html
This line:

You can renew a saved oauth token with the option --renew-oauth-tok

should read:

You can renew a saved oauth token with the option --renew-oauth2-tok

The 2 is missing. The missing 2 causes an error when a user tries to renew the Oauth token. Would be great if you co

Recently Slack updated its scopes, and the last step of the migration states:
"Change your app’s authentication URL to look like this: https://slack.com/oauth/v2/authorize?client_id=XXX"

This URL has changed, and it seems that new Slack apps cannot use this library.

Documentation page: https://api.slack.com/authentication/oauth-v2

I have developed a server using league/oauth2-server which successfully returns access tokens and resources when issuing the appropriate cURL commands.

I cannot, however, develop a functional client using the client credentials grant and I know that a lot of users of this package experience the same problem. I have asked the question on github, but I think the issue is the result of missing cod

I am trying to setup Strapi with a new auth provider (Login.gov). They use grant for auth. The issue I am currently having is that Login.gov wants state and nonce to be at least 32 characters in length. I know this is probably an edge case but is there any reason this 10 couldn't be changed to 32?

https://github.com/simov/grant/blob/c8e

Currently when I'm either downloading from sources or importing files, very little output is written to the screen. I'd love it if I can see some kind of progress being made or some kind of logging information being printed. Even if I have to add a flag to get it.

If not for some particular exceptions, the status code returned from our WebAPI on error is always 500, regardless of the kind of error.

If an object already exists, for example, it should be returned as 409. If the object does not pass the schema validation, it should be a 415.

Go through the whole WebAPI and verify that the status codes are being returned correctly.

Hint: Error cl

Describe the feature

Ideally the documentation should mention all the datastore models required by the OpenID Connect flows. The current documentation has this section for OAuth2.0 (https://oauthlib.readthedocs.io/en/latest/oauth2/server.html#create-your-datastore-models) but it is missing for OIDC.

There are a couple issues open right now that suggest a general restructuring of GAM code, which I agree would be good. However, one simple fix that would help both with code structure and readability of contributed code is a style guide that could be enforced during PR review.

The main file is over 13k lines, at this point, and lacks a consistent style and structure throughout, making it diff

Describe the bug
In my application, based on the user property, I need to change the request.user to a different user.

class CustomMiddleware:
  def __init__(self, get_response):
     self.get_response = get_response

  def __call__(self, request):
     print(request.user)

     response = self.get_response(request)
     return response

and the MIDDLEWARE stack is

When I using aws-amplify && react-native-google-signin I getting every time Invalid login token. Not a valid OpenId Connect identity token.

Example of my code:

GoogleSignin.configure({ webClientId: '**************', });

signUpViaGoogle = async () => {
try {
const userInfo = await GoogleSignin.signInSilently();
await GoogleSignin.getT

It’s not part of the OAuth spec but in particular we should call out that it takes a JSON body in the template.

authlib contains pretty much all you need to implement JWT token validation. It would be nice if there was a simple default one provided. I'm not sure how many moving parts it would have. If no single validator would cover 80% of cases, maybe provide more docs on how to assemble one.

@lepture If you have a general idea of how you would like to see this implemented I would probably be able to do

Is your feature request related to a problem? Please describe.

I am trying to build an OpenID provider only, I do not really have any resources to which one would delegate access to. So I do not need OAuth provider, just OpenId provider. The issue is that currently documentation/example just says that OAuth handlers have to be registered before OpenId ones, but does not explain which are th