search

gravitee-io / issues

Gravitee.io - API Platform - Issues
65 stars 26 forks source link

[gateway] [identity-provider] OIDC provider - use the id_token returned by the OpenID Provider when using the code flow AND the option "use ID token for user info" #3270

Closed bcollard closed 4 years ago

bcollard commented 4 years ago

WHEN using the authorization code flow for an OIDC provider AND if I choose to use the returned id_token because the UserInfo is unavailable, THEN the AM should read the id_token instead of the access_token

Config in the OIDC provider: image

Expected Behavior

The token returned by this method : https://github.com/gravitee-io/graviteeio-access-management/blob/3b77c557e4b262b6207431aa02a10dde04a6139a/gravitee-am-identityprovider/gravitee-am-identityprovider-oauth2-generic/src/main/java/io/gravitee/am/identityprovider/oauth2/authentication/OAuth2GenericAuthenticationProvider.java#L138

should be the id_token

So, in my opinion, you could add a IF statement like this one: configuration.isUseIdTokenForUserInfo() at that line: https://github.com/gravitee-io/graviteeio-access-management/blob/3b77c557e4b262b6207431aa02a10dde04a6139a/gravitee-am-identityprovider/gravitee-am-identityprovider-oauth2-generic/src/main/java/io/gravitee/am/identityprovider/oauth2/authentication/OAuth2GenericAuthenticationProvider.java#L184

and depending on that option, either return the access_token or the id_token.

AM version is 2.10.9

tcompiegne commented 4 years ago

Hi @bcollard ,

If you change the OpenID Connect Flow to id_token, the authentication process will use the id_token instead of the access_token

bcollard commented 4 years ago

Hey, well yes but i'm not allowed to use the implicit flow. So, when using the authorization code flow, both "id_token" and "access_token" are returned when exchanging the code against the token endpoint. See https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth In my case, I would like to use this authZ code flow, and to grab the "id_token" returned by the AS at that moment. Also, the UserInfo endpoint is not opened. That's why I checked the option "use the ID token (when the UserInfo endpoint is missing)"

tcompiegne commented 4 years ago

Ok thanks for the input, will be fixed in the next 2.10.x release.

bcollard commented 4 years ago

great! thank you!