jeremy379 / laravel-openid-connect

Implement OpenID Connect inside Laravel
MIT License
27 stars 13 forks source link

Allow Custom Token Headers #3

Closed coffe4u closed 1 year ago

coffe4u commented 1 year ago

This allows you to set any number of token headers that you would like, including none, via the new openid.token_headers configuration parameter. This can be useful for a number of reasons but my primary use is to add the header kid with my Key ID value.

jeremy379 commented 1 year ago

I'm not sure to understand the reason, maybe you can also add a few lines of documentation in the README to document this?

coffe4u commented 1 year ago

I will add some info to the readme.

My primary use for this is that we have another application that my company acquired and we want to connect the two using OpenID Connect. That other application is using Google Firebase. To connect your Firebase application to an OpenID Connect provider, you basically just get to provide a "Well Know Configuration URL". This configuration file is defined as part of the OpenID Connect Discovery specification https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest

The expected response is defined here https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationResponse and here https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata. The part that is really missing that I've been working on is the jwks_uri. That URI is supposed to describe your JSON Web Key Set [JWK] document. This contains information on the signing key(s).

Really the JWKS concept is used to allow for more than one key but I still have to deal with it because Google is expecting it. The multiple keys idea leads to the idea of the Key ID or kid https://datatracker.ietf.org/doc/html/rfc7517#section-4.5

coffe4u commented 1 year ago

Once I get all of this working, I'm planning on submitting another PR so that the package can add the "Well Know Configuration URL" & JWKS for you.

coffe4u commented 1 year ago

I've been using https://token.dev/ to verify my JWT at the end of the process. After adding the kid to the token header, it was finally fully verified via my JWKS Endpoint!

JWT-Debugger2-redacted

coffe4u commented 1 year ago

@jeremy379 I just added some info the to README.