inabajunmr / azidp4j

[alpha] Java OAuth 2.0 Authorization Server & OpenID Connect Identity Provider Library for any web application frameworks.
MIT License
4 stars 0 forks source link

claims parameter #105

Closed inabajunmr closed 1 year ago

inabajunmr commented 1 year ago

https://github.com/inabajunmr/azidp4j/pull/108/files

inabajunmr commented 1 year ago

The current model has problems when claims affect what users should do next. For example, if acr claim expects AAL2 and the following situations, an application can't handle it.

In this case, current AzIdP4J judges that should returns success response by redirect against this authorization request.

inabajunmr commented 1 year ago

returns pending

When the expected next action is redirect, the caller has the possibility to send a 'not' redirect response. ex. additional authentication against acr claim.

In this case, AzIdP4J doesn't want to issue any tokens because these are wasted.

In this model, caller call additional method like redirect() when response.next is redirect, and caller wants to get redirect URL.

var response = azIdP.authorize(authzReq);

// azidp4j responses what authorization should do next.
switch (response.next) {
    case redirect -> {
        if (response.authorizationRequest.claims required additional authentication) {
            // additional login flow
        }
        var redirect = response.redirect();
        return "redirect:" + redirect;
    }
}

But not all redirect patterns are required additional authentication(if a user doesn't have enough AAL authentication) because there are error redirect responses. So caller needs to judge whether the response is a success or not.

inabajunmr commented 1 year ago

But it requires more complicated implementation for simple identity providers.

inabajunmr commented 1 year ago

poc https://github.com/inabajunmr/azidp4j/pull/109/files

inabajunmr commented 1 year ago

distinguished success and failure response

switch (response.next) {
    case errorRedirect -> {
        var redirect = response.redirect(); // or just response.redirectTo
        return "redirect:" + redirect;
    }
    case successRedirect -> {
        if (response.authorizationRequest.claims required additional authentication) {
            // additional login flow
        }
        var redirect = response.redirect();
        return "redirect:" + redirect;
    }

}

not distinguished

This pattern doesn't require to distinguish these if the caller doesn't need this specification.

switch (response.next) {
    case redirect -> {
        if (response.type.equals(successRedirect) && response.authorizationRequest.claims required additional authentication) {
            // additional login flow
        }
        var redirect = response.redirect();
        return "redirect:" + redirect;
    }
}
inabajunmr commented 1 year ago

https://github.com/inabajunmr/azidp4j/pull/111