search

erlef / oidcc

OpenId Connect client library in Erlang & Elixir
https://hexdocs.pm/oidcc
Apache License 2.0
184 stars 49 forks source link

select_preferred_auth may be choosing a method for which there are not required resources #351

Closed danj3 closed 3 months ago

danj3 commented 6 months ago

oidcc version

3.2.0

Erlang version

26

Elixir version

1.16

Summary

Upon upgrade from 3.1.2 to 3.2 authorization url generation broke at attempt_par (resulting in HTTP 401/Authorization failed). The default available auth methods in oidcc_auth_util.erl:add_client_authentication, when not overridden by Opts will be used, however the client is only configured with a client_secret (for use with Basic or post methods), but the result was (one of) the JWT methods.

It seems some additional client configuration is needed to use the JWT methods (only based on the 401), so does the select_preferred_auth function need to consult the client configuration to determine if a method can be used. Alternatively, is it presumed that the client must always pass preferred_auth_methods if the IDP supports all of them but the client is only configured for a subset?

This problem may be a result of some knowledge deficit of the reporter and if so offers both apologies and request for steps to remedy.

Current behavior

Client configured with client_id and client_secret for create_redirect_url will fail authorization during PAR if the IDP supports JWT methods.

How to reproduce

configure client with client_id and client_secret without a JWT for auth.

Expected behavior

If only client_secret is in the client context/config, without a client_jwks, to detect and remove jwt auth methods during selection.

maennchen commented 6 months ago

I'm a bit swamped at the moment.

@paulswartz Do you have some time to have a look by any chance?

paulswartz commented 6 months ago

I took a look, and it looks like Oidcc should be doing the right thing and bailing out of private_key_jwt if there are no keys present: https://github.com/erlef/oidcc/blob/main/src%2Foidcc_auth_util.erl#L183

@danj3 can you share any more about your configuration?

danj3 commented 6 months ago

I will put some debugging into the function you called out and report back.

Stratus3D commented 4 months ago

I believe I may be experiencing the same issue. I'm seeing my /par requests failing with HTTP 400. Downgrading to 3.1.2 appears to resolve the issue. I will post more specifics when I have time to debug.

For reference the OIDC server I'm using is Okta.

Stratus3D commented 4 months ago

Oddly the error message from Okta is The request contained multiple parameters with the same name.. Which leads me to https://github.com/erlef/oidcc/pull/314, which was merged in 3.2.0.

Stratus3D commented 4 months ago

I think I was mistaken commenting on this thread. The error from Okta appears to be resolved by these changes - https://github.com/erlef/oidcc/pull/360

maennchen commented 4 months ago

@danj3 Did you figure anything out?

maennchen commented 3 months ago

Closing because of inactivity