gvanderploeg
commented
6 years ago From the Firefox info, it seems as though the plugin is not setting up the acr_values, scope, and nonce parameters. I tried this in one of our shared portal environments using both friendly and machine URLs and observed the same behavior.
According to the spec (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest), those parameters are optional, so I'd suppose they should be treated as such by the IDP. I've never encountered those parameters before as being mandatory by an IDP.
ibcajt01
Hello.
I am having a problem with the Liferay OpenID Connect plugin (for Liferay DXP 7.0). I am trying to integrate my portal with login.gov as identity provider. The configurations I am using for the plugin and login.gov are included below. When I click on a Sign In link (https://localhost:8443/c/portal/login?p_l_id=111111) in my local environment, I encounter the following behaviors...
In Google Chrome: This page isn’t working idp.int.identitysandbox.gov redirected you too many times.
In Firefox: The page isn’t redirecting properly https://localhost:8443/c/portal/login?error=invalid_request&error_description=Acr+values+Please+fill+in+this+field.+Acr+values+No+acceptable+acr_values+found+Scope+Please+fill+in+this+field.+Scope+No+valid+scope+values+found+Nonce+Please+fill+in+this+field.+Nonce+is+too+short+%28minimum+is+32+characters%29&state=8d............................8a
In Internet Explorer: An infinite loop is apparently created. (The address bar appears to keep redirecting back and forth between two URLs.)
From the Firefox info, it seems as though the plugin is not setting up the acr_values, scope, and nonce parameters. I tried this in one of our shared portal environments using both friendly and machine URLs and observed the same behavior.
Can you please advise about this problem?
Here are my Liferay OpenID Connect plugin parameters:
Enabled: Checked
Location of the authorization service (example: https://accounts.google.com/o/oauth2/v2/auth) https://idp.int.identitysandbox.gov/openid_connect/authorize
Location of the token service (example: https://www.googleapis.com/oauth2/v4/token) https://idp.int.identitysandbox.gov/api/openid_connect/token
UserInfo endpoint (example: https://www.googleapis.com/plus/v1/people/me/openIdConnect) https://idp.int.identitysandbox.gov/api/openid_connect/userinfo
Issuer urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name
Scope(s) of the access token Blank (to default to "openid profile email")
OAuth client ID urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name (same as Issuer above)
OAuth client secret Blank (login.gov does not use this)
OpenID Provider type Generic
SSO logout endpoint (optional) Blank
Parameter name supplied to SSO logout endpoint (optional) Blank
Parameter value supplied to SSO logout endpoint (optional) Blank
Here are my login.gov app registration parameters:
Identity protocol openid_connect
Issuer urn:gov:gsa:openidconnect.profiles:sp:sso:doi_ibc:my_issuer_name
Public key
-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----
Return to App UR https://localhost:8443/web/local-tmp-site-01
Redirect URIs https://localhost:8443/c/portal/login https://localhost:8443/c/portal/login?p_l_id=111111
Attribute bundle email
Active Y
(Please see https://developers.login.gov/oidc/ for login.gov OIDC parameter documentation.)