Duplicate validation necessary using OAUTHBEARER?

[TheJonny]

I'm not yet decided if this is a bug report or a support/documentation request, as I might have missed something or using it wrong:

When using the server side of the OAUTHBEARER mechanism, the token has to be validated once in the SessionData::callback for OAuthBearerValidate.

This might also obtain information about the user, for example a username. (In my application I would query the OIDC userinfo endpoint using the provided token).

Then I don't see a obvious possibility to store this data to return it from a later validate callback that would e.g. create an user object for later use, requiring to redo the validation.

[dequbed]

You're right, especially mechanisms that include arbitrary side-band data like OAUTHBEARER are not handled very well by rsasl. The initial idea was to allow storing exactly that information in SessionData, but that is sadly impossible now without breaking the API. Not to mention that it's also rather complex to do because you'd want to be able to store a discrete custom type, which would mean a new round of type erasure from an entirely new set of users. It's planned for v3, combined with a few other breaking changes.

That being said there is a possible but slightly ugly workaround right now: You construct a new SASLConfig for each connection having a different Callback instance, making use of the fact that both callback and validate are called with the same &self instance.

[dequbed]

This issue is also basically the same as #13 , just a different view on the same underlying problem.