interop with https://github.com/pingidentity/lua-resty-openidc

[dholth]

Thanks for django-oidc-provider, it is amazing.

I'm trying to use it with lua-resty-openidc which performs the following requests

GET /authorize?scope=code%20id_token&client_id=471746&state=4211b60d068bc9419178f40bae27f242&nonce=f43023951b2f2f0d0115f1358d755a33&redirect_uri=https%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code

POST /token code=fdd5ff7ce2b14b42a5f1c2c063bb3b9a&client_id=471746&state=7c3ce94c606700d4fda65d9ae6dc806d&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%2Foauth2%2Fcallback&client_secret=06e53969f87da66e0a8c1f4d85346ba6efdb1927636c09d35d322e08

django-oidc-provider returns an empty {} id_token because is_authentication is False. https://github.com/juanifioren/django-oidc-provider/blob/v0.4.x/oidc_provider/lib/endpoints/token.py#L152

But, lua-resty-openidc expects a non-empty id_token with at minimum the issuer.

{"access_token": "ccd4b37ecd8745ab807017973089a08b", "token_type": "bearer", "expires_in": 3600, "refresh_token": "869fcc0c945b41e397dbd7c0bef2dcb0", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRkOGE1ODI0NWNjZWNjNGQxNjgyOGU1MGI3N2VkMzBmIn0.e30.0zSwT08G-0Lbx8u-qpMH5soRl5mJAuoOipAJeDKg5Mnn4d6PscIcCyaDZqR0H3gpE-ZD0ALjIPsWtdoxscb4hH4sgmXusyLudlzeEggBjIyHIa-H9oBzt6znLP4AJzv3XwecOTJ3hrNiwKbulFFH0PnSsH9WyKgHn3BwamZU3LE"}

Solution so far is just to patch is_authentication or True. Am I missing something by not requesting the right token earlier from lua-resty-openidc?

[juanifioren]

I'll test it. But I don't understand why you have scope=code%20id_token... shouldn't be the value of the response_type parameter?.

Btw, if you are trying to do an Authentication (oidc request) you must include openid in your scope list.

[dholth]

Thanks. If I set scope to "code id_token openid" in the client then the request just fails. Is django-oidc-provider parsing scope properly? Or does that exact string need to be added to the "Response Type" dropdown on the Change Client page? I would type it in, but it is a selection widget.

[juanifioren]

scope is for for openid or oauth2 claims (openid, profile, email, address, etc). response_type is to define the flow. Values are:

• code: Authorization Code Flow
• id_token: id_token (Implicit Flow)
• id_token token: id_token token (Implicit Flow)
• code token: code token (Hybrid Flow)
• code id_token: code id_token (Hybrid Flow)
• code id_token token: code id_token token (Hybrid Flow)

So in your case your request should be:

/authorize?scope=openid+profile+email&client_id=471746&state=4211b60d068bc9419178f40bae27f242&nonce=f43023951b2f2f0d0115f1358d755a33&redirect_uri=https%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code%20id_token

[dholth]

Thank you so much. One last question, is there a reason one client cannot use more than one response_type? Or should I just have multiple clients?

[dholth]

It works, in 'code' mode (set in both RP and OP), with the mentioned scope.