search

gematik / epa-deployment

Project includes docker-compose file to start all relevant services (including VAU encryption/decryption) for an ePA environment.
Apache License 2.0
10 stars 4 forks source link

gem-auth openid scope ist ungültig #32

Closed ManuelB closed 1 month ago

ManuelB commented 1 month ago

Hallo, I have implemented the authorization call according to: https://gemspec.gematik.de/docs/gemILF/gemILF_PS_ePA/latest/#A_24944-01

I am copying all values from the authorization server to the auth URL of the IdP. I get the following:

"https://idp-ref.zentral.idp.splitdns.ti-dienste.de/auth?client_id=GEMgemaePAAHdL9ZU23R&response_type=code&redirect_uri=https%3A%2F%2Ftest-ps.gematik.de%2FePA&state=ez07Vj_XIqc&code_challenge=Blf92p5_xgzOvZGg_Rsi31kN0kNS3nCZcFAHFfwIPKg&code_challenge_method=S256&scope=gem-auth%2Bopenid&nonce=Ct4syakDgnk"

https://github.com/med-united/epa4all/blob/main/idp-oidc-flow/src/test/java/de/servicehealth/epa4all/idp/IdpClientIT.java

Turns out I get a: "scope ist ungültig"

curl "https://idp-ref.zentral.idp.splitdns.ti-dienste.de/auth?client_id=GEMgemaePAAHdL9ZU23R&response_type=code&redirect_uri=https%3A%2F%2Ftest-ps.gematik.de%2FePA&state=ez07Vj_XIqc&code_challenge=Blf92p5_xgzOvZGg_Rsi31kN0kNS3nCZcFAHFfwIPKg&code_challenge_method=S256&scope=gem-auth%2Bopenid&nonce=Ct4syakDgnk" -v
*   Trying 10.31.197.4:443...
* TCP_NODELAY set
* Connected to idp-ref.zentral.idp.splitdns.ti-dienste.de (10.31.197.4) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: businessCategory=Private Organization; serialNumber=280353i; jurisdictionC=AT; jurisdictionST=Niederoesterreich; jurisdictionL=Korneuburg; C=AT; ST=Niederoesterreich; L=Schwechat; street=Concorde Business Park F; O=Research Industrial Systems Engineering (RISE) F., E. u. G. GmbH; CN=idp-ref.zentral.idp.splitdns.ti-dienste.de
*  start date: May 27 12:16:02 2024 GMT
*  expire date: Jun 28 12:16:01 2025 GMT
*  subjectAltName: host "idp-ref.zentral.idp.splitdns.ti-dienste.de" matched cert's "idp-ref.zentral.idp.splitdns.ti-dienste.de"
*  issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign ECC EV SSL CA 2018
*  SSL certificate verify ok.
> GET /auth?client_id=GEMgemaePAAHdL9ZU23R&response_type=code&redirect_uri=https%3A%2F%2Ftest-ps.gematik.de%2FePA&state=ez07Vj_XIqc&code_challenge=Blf92p5_xgzOvZGg_Rsi31kN0kNS3nCZcFAHFfwIPKg&code_challenge_method=S256&scope=gem-auth%2Bopenid&nonce=Ct4syakDgnk HTTP/1.1
> Host: idp-ref.zentral.idp.splitdns.ti-dienste.de
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 
< Date: Fri, 13 Sep 2024 14:09:43 GMT
< Content-Length: 0
< Connection: keep-alive
< cache-control: no-store
< pragma: no-cache
< location: https://test-ps.gematik.de/ePA?state=ez07Vj_XIqc&error=invalid_scope&gematik_code=1022&gematik_timestamp=1726236583&gematik_uuid=ed37df3d-0851-471e-9d99-e34a79345141&gematik_error_text=scope+ist+ung%C3%BCltig
< Strict-Transport-Security: max-age=31536000; includeSubDomains
< X-Frame-Options: DENY
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< 
* Connection #0 to host idp-ref.zentral.idp.splitdns.ti-dienste.de left intact
*

What is the correct scope?

ManuelB commented 1 month ago

The problem was the encoded + as %2B. When using a space it worked.