Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

core/auth: update to recent go-oidc v3, allow oidc issuer URL override #212

Merged
merged 5 commits into from Nov 30, 2021
Merged

core/auth: update to recent go-oidc v3, allow oidc issuer URL override #212

merged 5 commits into from Nov 30, 2021

Conversation

carstendietrich
Copy link
Member

@carstendietrich carstendietrich commented Nov 30, 2021
edited

According to the OpenID Connect specs, the /.well-known/openid-configuration should contain an issuer field that matches the URL used to fetch the configuration metadata:

The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

The OIDC solutions provided from Azure for example when using the Azure Active Directory B2C currently doesn't adhere to the OpenID Connect spec and returns a wrong issuer.

Since that's something they won't fix that fast (or maybe not even at all) we should introduce a configuration to support overriding the issuer URL.

MicrosoftDocs/azure-docs#38427 (comment)

Changes in go-oidc: coreos/go-oidc@v2.0.0...v3.1.0

@carstendietrich
core/auth: update to recent go-oidc v3, allow oidc issuer URL override
326e41c 
According to the OpenID Connect specs, the /.well-known/openid-configuration should contain an `issuer` field that matches the URL used to fetch the configuration metadata:

> The issuer value returned MUST be identical to the Issuer URL that was directly used to retrieve the configuration information. This MUST also be identical to the iss Claim value in ID Tokens issued from this Issuer.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

The OIDC solutions provided from Azure for example when using the Azure Active Directory B2C currently doesn't adhere to the OpenID Connect spec and returns a wrong issuer.

Since that's something they won't fix that fast (or maybe not even at all) we should introduce a configuration to support overriding the issuer URL.

MicrosoftDocs/azure-docs#38427 (comment)
@carstendietrich
core/auth: update cue config, acutally set correct context
b06a651
@carstendietrich
core/auth: add missing module test for oauth module
f4cb662
@bastianccm
Copy link
Contributor

bastianccm commented Nov 30, 2021
edited

Using the url with /{uuid}/ instead of /common/ on Azure is not an option here?

@carstendietrich
Copy link
Member Author

carstendietrich commented Nov 30, 2021
edited

Using the url with /{uuid}/ instead of /common/ on Azure is not an option here?

@bastianccm that's only possible when using Azure Active Directory (login.microsoftonline.com):
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc

when using Azure Active Directory B2C (TENANT-XYZ.b2clogin.com) that's still an issue.
https://docs.microsoft.com/en-us/azure/active-directory-b2c/openid-connect

Example OpenID connect config for B2C containing the wrong issuer:
https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/.well-known/openid-configuration

{
-    "issuer": "https://fabrikamb2c.b2clogin.com/775527ff-9a37-4307-8b3d-cc311f58d925/v2.0/",
+    "issuer": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/v2.0/",
    "authorization_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/authorize",
    "token_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token",
    "end_session_endpoint": "https://fabrikamb2c.b2clogin.com/fabrikamb2c.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/logout"
}

@bastianccm
Copy link
Contributor

I see. Fine for me to merge (need's a rebase because I added a comment to StateEntry 🙄 sorry)

@carstendietrich
Copy link
Member Author

I see. Fine for me to merge (need's a rebase because I added a comment to StateEntry 🙄 sorry)

yeah saw that GitHub did a merge commit. Will do a squash merge anyway so we'll still have a linear history 👌🏻

@carstendietrich carstendietrich merged commit 8607648 into master Nov 30, 2021
@carstendietrich carstendietrich deleted the update-go-oidc-allow-issuer-url-override branch November 30, 2021 16:34
@github-actions github-actions bot mentioned this pull request Mar 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bastianccm bastianccm bastianccm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@carstendietrich @bastianccm