Open amaierhofer opened 2 days ago
Bei Tests mit oidcdebugger.com scheint der PKCE Flow in Ordnung.
via applogin
{"method":"POST","path":"/en/users/sign_in","format":"html","controller":"Devise::Hitobito::SessionsController","action":"create","status":303,"allocations":39338,"duration":166.81,"view":0.0,"db":0.0,"location":"https://sac-cas.puzzle.ch/oauth/authorize","time":"2024-10-04 14:30:56 +0200","request_uuid":"e9d593ac-aba5-4b3b-a830-ce3c74bc5016","params":"{authenticity_token: '7hl1/6AyyOPpEP8QL0/X4Gee7iKE7iDJy1ga03SRv2k7PXvTKco01nM/I16NMg0PFqQQSFwq8BTaYVZyvSSg2g==', person: {login_identity: 'testubique2@ubique.ch', password: '[FILTERED]', remember_me: '0'}, button: '', oauth: 'true', locale: 'en'}","user_id":600520}
{"method":"GET","path":"/oauth/authorize","format":"html","controller":"Doorkeeper::AuthorizationsController","action":"new","status":302,"allocations":14527,"duration":43.46,"view":0.0,"db":0.0,"location":"sacappdev://signin-oidc","time":"2024-10-04 14:30:56 +0200","request_uuid":"f82a5a84-c31b-40f3-831a-da583709dde0","params":"{redirect_uri: 'sacappdev://signin-oidc', client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', response_type: 'code', prompt: 'login', ui_locales: 'en-GB de-CH nb-NO fr-CH it-CH', state: 'qlNYjf3C5mFAJc2e7nP_9g', nonce: 'cU8TF2WgFDuSF3cbtiyh8w', scope: 'openid', code_challenge: 'tWcE8HbXpGPvg0pdZoQXOV4Fcy6QqfXJcOL4fAfT3s4', code_challenge_method: 'S256', language: 'en'}","user_id":600520}
via oidcdebugger
{"method":"POST","path":"/de/users/sign_in","format":"html","controller":"Devise::Hitobito::SessionsController","action":"create","status":303,"allocations":32208,"duration":182.22,"view":0.0,"db":0.0,"location":"https://sac-cas.puzzle.ch/oauth/authorize","time":"2024-10-04 16:58:21 +0200","request_uuid":"06f20fd5-99bf-41be-b975-d3eeeebe992f","params":"{authenticity_token: 'F1NxCpJb/oKEasU3zePY28sR5JhtgjfpiFySgjEJeeYDh2OKsms6yZxP8Xa6YV4GDKoINCExYWQWeNxNW/B7Cw==', person: {login_identity: 'hitobito-sac-cas@puzzle.ch', password: '[FILTERED]', remember_me: '0'}, button: '', oauth: 'true', locale: 'de'}","user_id":600000}
{"method":"GET","path":"/oauth/authorize","format":"html","controller":"Doorkeeper::AuthorizationsController","action":"new","status":302,"allocations":17161,"duration":52.97,"view":0.0,"db":0.0,"location":"https://oidcdebugger.com/debug#code=F0rtuJBO0vgaqNL1UijimdyHDglaDFx7radIQSK-JQQ&state=8isbempx1sw","time":"2024-10-04 16:58:21 +0200","request_uuid":"9d156855-d395-47bd-95f3-16e4731f70f5","params":"{client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', redirect_uri: 'https://oidcdebugger.com/debug', scope: 'openid', response_type: 'code', response_mode: 'fragment', code_challenge_method: 'S256', code_challenge: 'g85KMxdScHJIMmEklWA6LI9_uamv_PyNiC-REcgjd2k', state: '8isbempx1sw', nonce: 'qpcyxr1cuc'}","user_id":600000}
{"method":"POST","path":"/oauth/token","format":"*/*","controller":"Doorkeeper::TokensController","action":"create","status":200,"allocations":14551,"duration":48.63,"view":0.25,"db":0.0,"time":"2024-10-04 16:58:22 +0200","request_uuid":null,"params":"{client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', code: '[FILTERED]', code_verifier: 'K1l6OgZ1P5w8IT1XeRaLZkZr7ADadYhvsPaoDI6lxgA', grant_type: 'authorization_code', redirect_uri: 'https://oidcdebugger.com/debug'}"}
Nebem dem request format existieren folgende Unterschiede bei den parametern im /oauth/authorize
GET request
[6] pry(main)> app.keys - oidc.keys
=> [:prompt, :ui_locales, :language]
[7] pry(main)> oidc.keys - app.keys
=> [:response_mode]
Aktuell funktioniert der OIDC Authorization Flow in der App nicht. Möglicherweise hängt es mit der von der App verwendenten PKCE Erweiterung zusammen.
Warum genau nach dem Login doorkeeper in die App zurück redirected (
sacappdev://signin-oidc?error=login_required&error_description=The+authorization+server+requires+end-user+authentication&state=VL0uBHopjeSJ9I0MwevgwA
) ist unklar.Zum lokalen testen von oidc muss
JWT_SIGNING_KEY
gesetzt sein.