- changed status to invalid
GrantType.AUTHORIZATION_CODE seems to wrongly assume that client id is mandatory
Issue #185
invalid
I'm far from an OpenId Connect expert (currently learning mostly thanks to your great documentation on http://connect2id.com/learn/openid-connect) but I could not find anything about mandatory client id in the case of a authorization_code (including http://connect2id.com/learn/openid-connect#example-auth-code-flow-step-2).
Looks like "true" and "false" are inverted in the second and third parameters when creating GrantType.AUTHORIZATION_CODE.
Comments (7)
-
-
reporter
Indeed I missed it. http://connect2id.com/learn/openid-connect#example-auth-code-flow-step-2 should probably be updated to reflect the fact that client id is required.
Another issue is that you can't create a TokenRequest with both a ClientAuthentication and a ClientID (it's either one or the other). https://tools.ietf.org/html/rfc6749#section-4.1.3 indeed indicate that client id is mandatory for access token but also indicate that client may need to authenticate.
-
Regarding the example, the client_id is in there, though not in plain sight - it's encoded in the Basic auth header ;)
I saw from your work around link that you're working on adopting OIDC in XWiki. Let us know when it goes live, we'll be glad to share the news. I also spend time on the OIDC WG, and would be interested to hear your feedback on the protocol and whether it met your needs and expectations.
Cheers,
Vlad
-
reporter
I saw from your work around link that you're working on adopting OIDC in XWiki. Let us know when it goes live, we'll be glad to share the news. I also spend time on the OIDC WG, and would be interested to hear your feedback on the protocol and whether it met your needs and expectations.
The first target for the extension is to use that as SSO for the various services of the new XWiki SAS Cloud offering. So far it does met expectations both in theory and in practice. Also oauth2-oidc-sdk and http://connect2id.com/learn/openid-connect have been a great help in implementing that ! I'm almost done with a XWiki client working well with the XWiki provider and then I will have to find some time fully pass http://openid.net/certification/. I wrote all this as standard OIDC provider and client but I'm sure there is some edge cases (or even not edge at all :)) I missed.
Then we will also probably make http://www.xwiki.org an OpenId Connect provider and of course anyone will be able to easily install both the provider and the authenticator on his own instance.
-
Thanks for the feedback!
OIDC is great not just for running a public IdP, but also for establishing a unified identity system across an org or the components / APIs of an app. So people could log in with all sorts of providers and protocols into XWiki, which then get converted to an ID token issued by XWiki, and the apps (web, mobile) and APIs in the XWiki ecosystem only have to deal with this ID token.
Pac4j is one conceptually great Java library which can work with just about any IdP protocol and Java framework for obtaining a user's identity and profile, which can then be fed into an OIDC IdP and ID token, to implement "federation" in identity jargon. Last year a had the chance to meet the Pac4js maintainer at an OIDC evening in Paris, and he's a really bright guy.
My suggestion is to run the cert tests as soon as you have something working (this can be done for free), even if you don't request a final certification to be issued. This will allow you to catch interop issues and bugs, but keep in mind that the cert tests are not comprehensive.
You could also check out the OIDC client for developers at https://demo.c2id.com/oidc-client
It's git repo is here: https://bitbucket.org/connect2id/openid-connect-dev-client
Cheers,
Vladimir
-
reporter
Thanks for Pac4j, I will definitely take a look. There is a socialauth based extension for XWiki on http://extensions.xwiki.org/xwiki/bin/view/Extension/Social+Login+Application that was aiming at more or less the same goal but Pac4j looks more complete and more up to date. Plus we need to rethink the now very old core XWiki Authentication API anyway (when this can end up in the roadmap by some miracle :)).
It's git repo is here: https://bitbucket.org/connect2id/openid-connect-dev-client
Cool that's what I was searching for since https://demo.c2id.com/oidc-client is giving me a "Network" error without much details but I assumed it was because it tried it on a http test provider instead of https.
-
Hi @tmortagne , could you send us a screenshot of the "network error" that you're getting? Thanks!
- Log in to comment
authRequired=false, clientIDRequired=false means that to exchange a code for token(s) the client must either by authenticated (implies that the client_id is provided), or just identify itself (for public OAuth clients) via a client_id parameter in the POST body:
https://tools.ietf.org/html/rfc6749#section-4.1.3