Support Implicit OIDC flow for the OIDC connector

dexidp / dex

OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors

https://dexidp.io

Apache License 2.0

9.49k stars 1.7k forks source link

Support Implicit OIDC flow for the OIDC connector #1254

Open colemickens opened 6 years ago

colemickens commented 6 years ago

I know that Dex supports the implicit flow for the IdP, but I'd like to be able to use Dex with Portier, which only supports response_type=id_token and the grant_type=implicit.

Unfortunately, this requires tracking the nonce (which is required in the implicit flow) whereas the current OIDC connector seems stateless during the initial exchange.

Is there a pattern to follow here? Maybe a connector that has to stash some session data during the authentication flow? Is there a way to "start" the identity without it being treated as fully authenticated?

colemickens commented 6 years ago

Hm, it looks like the server does maintain an authrequest for outbound oidc-alike connectors but handles the storage on behalf of the connector. I'll see if there's a way to support nonce without needing to refactor how storage is handled.

colemickens commented 6 years ago

I have this implemented in a fork by adding ConnectorData that can be persisted/accessed during the flow. But it's blocked on #1255.

srenatus commented 6 years ago

@colemickens Any update on this? It looks like #1255 isn't blocking this anymore.

colemickens commented 6 years ago

I had implemented it here. It stacks on another PR that isn't merged yet, though. https://github.com/dexidp/dex/pull/1256

srenatus commented 6 years ago

Sorry, sifting through so many issues and PRs. Thanks for the update.