search

bshaffer / oauth2-server-bundle

OAuth2 for your Symfony Application
MIT License
106 stars 72 forks source link

OpenID Connect support #38

Closed guilhermednt closed 9 years ago

guilhermednt commented 9 years ago

It seems that oauth2-server-php supports OpenID Connect. Does it mean this bundle does it too?

antonioberben commented 9 years ago

+1

bshaffer commented 9 years ago

The bundle does support it, but you will access the OpenID Connect functions by accessing the OAuth2\Server object directly. The bundle does not support any specific OpenID Connect functionality itself.

bshaffer commented 9 years ago

I added some docs about how to set up OpenID Connect with this library. I hope this helps.

antonioberben commented 9 years ago

Cheers buddy! I am playing with it already. Thanks a lot for all this. It is just great!

bshaffer commented 9 years ago

Thanks for the feedback. Not sure why it took me so long to add the docs. Please let me know where your pain points have been and I'll fill the docs out more to help with them.

guilhermednt commented 9 years ago

Thanks, @bshaffer!

I'm having a bit of trouble with the token endpoint (or maybe I didn't quite understand the specs).

I've managed to setup the bundle to use OIDC.

To test it I installed oauth2-demo-php. After testing a bit, I'm unsure if the behavior is correct on the token endpoint since I'm not getting the ID Token when I click the Authorization Code button at the OpenID Connect tab.

The spec says:

In addition to the response parameters specified by OAuth 2.0,
the following parameters MUST be included in the response:

    id_token
        ID Token value associated with the authenticated session.

But the response is:

{
  "access_token":"707495ba376dd3b6795ea6d06bb2f88314c9d2d7",
  "expires_in":3600,
  "token_type":"Bearer",
  "scope":"openid",
  "refresh_token":"2e750f52d70f6f19ec5952ca81e90e5d6012fd64"
}

To make the bundle work for OpenID Connect I created a Compiler Pass that adds oauth2.storage.user_claims and oauth2.storage.public_key services to the oauth2.server storage arguments. This Compiler Pass also changes the config to enable use_openid_connect.

Did I miss anything?

bshaffer commented 9 years ago

Hey there @guilhermednt! Are you using oauth2-demo-php or oauth2-server-bundle in the case where it doesn't work? The bundle and the demo site are not compatible, as the bundle requires Symfony and the demo uses Silex. Could this be the root of your confusion?

guilhermednt commented 9 years ago

I have both:

  1. a Symfony 2 app with the oauth2-server-bundle (it's my OpenID Provider) plus the stuff I did to make it accept OpenID Connect;
  2. the oauth2-demo-php to interact with the Symfony app.

They are separate things...

bshaffer commented 9 years ago

So you're using the client side of the demo app, and the server side is Symfony. Sounds good. But without seeing the code you've made for the Symfony app, it's impossible for me to help. I would suggest making sure the OpenID classes and controllers are properly created in your Oauth2\Server class for starters. On Fri, Sep 18, 2015 at 1:13 PM Guilherme Donato notifications@github.com wrote:

I have both:

  1. a Symfony 2 app with the oauth2-server-bundle plus the stuff I did to make it accept OpenID Connect;
  2. the oauth2-demo-php to interact with the Symfony app that will be an OpenID Provider.

— Reply to this email directly or view it on GitHub https://github.com/bshaffer/oauth2-server-bundle/issues/38#issuecomment-141554902 .

guilhermednt commented 9 years ago

Thank you very much for your attention, @bshaffer.

The code can be found mostly here.

Basically I created the compiler pass to add the storage classes that I couldn't override via parameters, not sure if I did it right though...

Also, I had to override the authorize endpoint to include the user id.

Does this seem ok to you? Again, thanks for the help!

bshaffer commented 9 years ago

Hmm... I unfortunately don't have time to debug this, but your configuration actually looks spot on. A few things I've found strange - none of my libraries seem to be in your composer.json file. Also, if you debug the $server object, can you confirm the compiler pass worked?

guilhermednt commented 9 years ago

The compiler pass seems to be working fine. I just debugged the $server to make sure. The lib is in the composer.json here.

I'm trying to find where the decision of sending an ID Token is being made but it's not very clear to me yet.

bshaffer commented 9 years ago

The decision is made by instantiating the OpenID subclasses of various Controller, ResponseType, GrantType, and Storage objects. These can be created and added manually to your Server object (using setController, addGrantType, etc), or they should be done automatically when use_openid_connect is set to true.

One thing that could cause an issue is if those various classes were being created automatically by the Server ahead of time. But it appears you set the container arguments before the server is instantiated, so I don't see how this would be the problem.

See if the OpenID Authorization Code Grant Type ever gets executed, as this is where magic for the returning of the id_token happens in most cases.

guilhermednt commented 9 years ago

Hmm... This is not running. I'll take a look and try to find out why. If you have any suggestion it would be much appreciated.

Thanks for the help!

bshaffer commented 9 years ago

If I were you, I would debug in the Server class first and make sure the proper OpenID classes get created.

https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L481 https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L490 https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L585 https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L594 https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L631

guilhermednt commented 9 years ago

Thanks! I'll take a look. One thing I noticed is that I had to override the oauth2.grant_type.authorization_code.class parameter to use OAuth2\OpenID\GrantType\AuthorizationCode but that wasn't enough since this condition is failing.

Thanks a LOT @bshaffer. I feel I'm in the correct path now.

bshaffer commented 9 years ago

Aha... yeah, we may be forcing some conditions through the bundle container injection that are making the OpenID model fail. I will do some testing as well to investigate this.

guilhermednt commented 9 years ago

Good news! I may have solved this last issue. The problem was in my AuthorizationCode storage class. The method getAuthorizationCode() wasn't including the id_token in the array.

guilhermednt commented 9 years ago

@bshaffer, another question: should the nonce be present here?

I noticed it's not being forwarded to the id_token since the AuthorizeController expects the nonce in the query string. I just want to be sure if this is the right place to put the nonce.

Again, thanks for the help! Your libs are saving my life. hehe

bshaffer commented 9 years ago

Ahh yes. OpenID Connect will still work for response_type=code without the nonce, but for response_type=id_token and response_type=id_token+token, we need the nonce to be passed in with the authorization request. I will submit a fix for this.

bshaffer commented 9 years ago

fixed in 7fba8128ade37a7d9c2e722c80f8fb9b26bb58fe