thomasvargiu
commented
11 months ago Sorry for the late answer. Hope you resolved it. Honestly I don't know if I understand your request.
3.) The client application generates a request like this to get sent off for user authentication. v1/authorize?response_type=code&nonce=MldeA7UW3hptyZK4ViNS6A&state=AIjYt_WPt_a67y5ztJj88w&code_challenge=nT9PksZKOHBnToLUpIZS1l4Elb3jePEe7lR_zWTsn3w&code_challenge_method=S256&client_id=
&scope=openid%20email%20profile%20offline_access&redirect_uri=
This looks like a code grant authorization with PKCE, no secrets involved.
But with PKCE it's not be possibile a man in the middle.
Sorry, This isn't really an issue, but an explanation and general questions.
I have a situation where there is an OpenID server sitting in AWS, and there's a client application that authenticates (somehow) and also uses ADFS for end-user authentication. It's just a SOAP-XML client application, so after getting authenticated once I "stole" a refresh token and I am able to use that to get an authorization token and use my own scripts to do the same things as though the application is doing it. I'm basically just acting as a middle-man because the client application availability is limited to mobile devices.
The problem I'm running into is handling end user authentication to "steal" these refresh tokens. I could continue packet-captures, but ultimately I'd like to make it easy for end users to log into some sort of portal, just so I can "steal" the refresh tokens (nothing nefarious, only to use in the future on behalf of their own individual requests via my backend scripts).
The current client workflow from a packet capture is: 1.) The client application first gets openid-configuration, which I have done with php-openid-client.
2.) The client application then gets v1/keys. I'm not sure if this part is being done by php-openid-client or if I need to configure it to do so. Accept: application/json, application/jwk-set+json
3.) The client application generates a request like this to get sent off for user authentication. v1/authorize?response_type=code&nonce=MldeA7UW3hptyZK4ViNS6A&state=AIjYt_WPt_a67y5ztJj88w&code_challenge=nT9PksZKOHBnToLUpIZS1l4Elb3jePEe7lR_zWTsn3w&code_challenge_method=S256&client_id=&scope=openid%20email%20profile%20offline_access&redirect_uri=
I do have the client id, but no secret, I'm not even sure if a secret is involved and I'm not sure how to tell, I've dug through the decompiled source of the client application but nothing is obvious.
Is it possible to create this request myself with php-openid-client? Any other tools that I should be using for tests?
I think if I could generate the nonce, state and challenge code I would be set for authentication,
4.) but then (after authentication) I have to deal with a response of authorizedCallback?code=nHAyI8gvFTNO9ZAK20R1p6tN6rXaPWpKu_T8eoZo-Jk&state=mBU6gY3VeywMT23z4vZeng
Which the client application somehow turns this into an authorization token?
Is this possible to accomplish with php-openid-client with the given information or do I need something else?