search

IdentityPython / SATOSA

Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
https://idpy.org
Apache License 2.0
197 stars 121 forks source link

Support more client authentication methods by the OIDC frontend #428

Closed Benderinho closed 1 year ago

Benderinho commented 1 year ago

I configured an openid frontend, the /.well-known/openid-configuration lists only one supported token_endpoint_auth_methods_supported: client_secret_basic

The other 3 methods from oidc specs are not listed (client_secret_post, client_secret_jwt, private_key_jwt) - are they not yet supported in satosa openid frontends? I did not find any config option to change token_endpoint_auth_methods_supported for openid frontend.

Code Version

SATOSA version 8.2.0

Expected Behavior

Client authentication method client_secret_post should be supported by OIDC frontend.

Current Behavior

The only listed client authentication method is client_secret_basic. My client wants to use client_secret_post, so it fails with this error in satosa log:

[2022-12-14 10:09:38] [DEBUG]: invalid client authentication at token endpoint
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/site-packages/satosa/frontends/openid_connect.py", line 364, in token_endpoint
    response = self.provider.handle_token_request(
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/pyop/provider.py", line 347, in handle_token_request
    token_request = self._verify_client_authentication(request_body, http_headers)
                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/pyop/provider.py", line 509, in _verify_client_authentication
    token_request['client_id']  = verify_client_authentication(self.clients, token_request, http_headers.get('Authorization'))
                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/pyop/client_authentication.py", line 62, in verify_client_authentication
    raise InvalidClientAuthentication(
pyop.exceptions.InvalidClientAuthentication: Wrong authentication method used, MUST use 'client_secret_basic'

Possible Solution

Support client_secret_post method or all client authentication methods from oidc specs.

Steps to Reproduce

  1. configure an openid frontend
  2. have a look at frontends token_endpoint_auth_methods_supported at /.well-known/openid-configuration
c00kiemon5ter commented 1 year ago

Hello, we are in the process of building new OIDC frontends based on idpy-oidc and moving away from pyop, pyoidc/oic, and underlying libs.

You can find such a frontend here: https://github.com/UniversitaDellaCalabria/SATOSA-oidcop and we will be updating https://github.com/IdentityPython/SATOSA/blob/master/doc/README.md#external-contributions with more pointers, hopefully soon.

I don't think that we should invest on the current oidc-frontend. But if you (or anybody) wants to do that, please go forward with a PR. The current oidc-frontend is not going away, but it will be there for some as a possible choice.