search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

Feature : Requesting claims using the claims request parameter #308

Closed tauinger-de closed 5 months ago

tauinger-de commented 5 years ago

Need claims in addition to scopes for OpenID Connect

Description

I am trying hard to get Twitch setup as an identity provider. However (as discussed in https://discuss.dev.twitch.tv/t/openid-connect-issues-using-fusionauth-scopes-are-not-provided/22627/3) Twitch doesn't support any other scope than "openid". To get access to the essential "email" claim this must be requested with another "claims" parameter such as &claims={"id_token":{"email":null,"email_verified":null},"userinfo":{"picture":null}}

To me it seems that Fusionauth does not support this -- which would mean that I cannot employ Twitch as a provider :(

Is there a workaround for this?

Related Specification

https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims section 5.5

robotdan commented 5 years ago

From what I understand from reading that thread is that the user:read:email scope (for example) will ensure that the JWT they send us back has enough privilege to read the user's email address when we request it from the User endpoint. ( https://api.twitch.tv/helix/users )

Here is the configuration I'm using Twitch OpenID Connect discovery : https://id.twitch.tv/oauth2/.well-known/openid-configuration

Authorization https://id.twitch.tv/oauth2/authorize Token: https://id.twitch.tv/oauth2/token Userinfo : https://id.twitch.tv/oauth2/userinfo

When you configure the Twitch IdP you can either just specify https://id.twitch.tv/oauth2 as the issuer and we'll discover all of the endpoints, or you can manually enter each URL.

I can confirm that the Userinfo endpoint is not returning the email claim. Here the JSON response from Twitch.

{
  "aud" : "nxbhe55gj9twb9ld1q5j1pxrll4gmb",
  "exp" : 1569439555,
  "iat" : 1569438655,
  "iss" : "https://id.twitch.tv/oauth2",
  "nbf" : null,
  "sub" : "464160060",
  "jti" : null,
  "azp" : "nxbhe55gj9twb9ld1q5j1pxrll4gmb",
  "preferred_username" : "robotdan_fa"
}

Here is my configuration :

Screen Shot 2019-09-25 at 1 08 33 PM

This is sort of strange because email is a registered OpenId Connect claim. I'll have to look at their documentation further to see if there is a way to request the email address.

robotdan commented 5 years ago

It does look like they document the claims parameter as was mentioned in the thread you posted.

https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#oidc-authorization-code-flow

This page lists out the default claims returned in the Userinfo response, this is consistent with what I'm seeing. https://dev.twitch.tv/docs/authentication/getting-tokens-oidc/#claims

According to their documentation, we would have to append another parameter to the request to Userinfo.

claims={"userinfo":{"email":null}}

We don't currently support adding additional request parameters to these requests.

This is a documented optional method to allow the caller to request particular claims. It is documented in section 5.5 in the OpenID Connect core spec. https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims

We could look at adding this capability so that we can work with Twitch and any other OIDC provider that may utilize this methodology.

robotdan commented 5 years ago

@tauinger-de I may have an easy fix for you.

As a test, I made a small change to the way we call the Authorize endpoint to allow request parameters to be added to the configured URL.

This way, I configured my Twitch IdP as follow for the Authorization endpoint: 

https://id.twitch.tv/oauth2/authorize?claims=%7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7D

I added ?claims=%7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7D to the end of the endpoint to force this parameter on the request. %7B%22userinfo%22%3A%7B%22email%22%3Anull%7D%7 is the following JSON encoded {"userinfo":{"email":null}}.

We should probably support the claims request parameter configuration at some point, but I can ship this minor change in the upcoming patch release. I have verified this will work for a Twitch login.

Looks for Twitch to work in the upcoming patch release.

tauinger-de commented 5 years ago

Good morning, that sounds great! Thanks heaps for your efforts. Have you got a release date in mind?

robotdan commented 5 years ago

Opening a separate issue to track this small fix to make Twitch work with our current OpenId Connect configuration. We can use this issue to track the feature to add support for the claims request parameter during an Authorization request.

Issue https://github.com/FusionAuth/fusionauth-issues/issues/309

Good morning, that sounds great! Thanks heaps for your efforts. Have you got a release date in mind?

You're welcome. No date in mind, there are few minor fixes that I could probably get out in a small release. Maybe yet this week? Do you have an ideal timeline in mind?

andrewpai commented 5 months ago

Closing this issue, as it seems to be covered by #309 .