navikt / mock-oauth2-server

A scriptable/customizable web server for testing HTTP clients using OAuth2/OpenID Connect or applications with a dependency to a running OAuth2 server (i.e. APIs requiring signed JWTs from a known issuer)
MIT License
248 stars 59 forks source link

Wrong issuer value? #767

Closed m1212e closed 2 weeks ago

m1212e commented 3 weeks ago

Hi, I get this error when I try to run the container as a dev mock oidc instance:

  code: 'OAUTH_JSON_ATTRIBUTE_COMPARISON_FAILED',
  [cause]: {
    expected: 'http://localhost:8080/',
    body: {
      issuer: 'http://localhost:8080/.well-known/openid-configuration',
      authorization_endpoint: 'http://localhost:8080/.well-known/openid-configuration/authorize',
      end_session_endpoint: 'http://localhost:8080/.well-known/openid-configuration/endsession',
      revocation_endpoint: 'http://localhost:8080/.well-known/openid-configuration/revoke',
      token_endpoint: 'http://localhost:8080/.well-known/openid-configuration/token',
      userinfo_endpoint: 'http://localhost:8080/.well-known/openid-configuration/userinfo',
      jwks_uri: 'http://localhost:8080/.well-known/openid-configuration/jwks',
      introspection_endpoint: 'http://localhost:8080/.well-known/openid-configuration/introspect',
      response_types_supported: [Array],
      response_modes_supported: [Array],
      subject_types_supported: [Array],
      id_token_signing_alg_values_supported: [Array],
      code_challenge_methods_supported: [Array]
    },
    attribute: 'issuer'
  }
}

I use the openid-client npm package in Node.js to run OIDC requests etc. against the container.

    if (configPrivate.NODE_ENV === 'development') {
        execute.push(allowInsecureRequests);
    }
    const config = await discovery(
        new URL(configPublic.PUBLIC_OIDC_AUTHORITY),
        configPublic.PUBLIC_OIDC_CLIENT_ID,
        {
            client_secret: configPrivate.OIDC_CLIENT_SECRET,
            token_endpoint_auth_method: configPrivate.OIDC_CLIENT_SECRET ? undefined : 'none'
        },
        undefined,
        {
            execute
        }
    );

This is the container compose config:

  mockoidc:
    image: ghcr.io/navikt/mock-oauth2-server:2.1.10
    ports:
      - 8080:8080
    environment:
      JSON_CONFIG: >
        {
          "interactiveLogin": true,
          "httpServer": "NettyWrapper",
          "tokenCallbacks": [
              {
                "issuerId": "issuer1",
                "tokenExpiry": 120,
                "requestMappings": [
                  {
                    "requestParam": "code",
                    "match": "code1",
                    "claims": {
                      "sub": "subByCode",
                      "aud": [
                          "audByCode"
                      ]
                    }
                  }
                ]
              }
          ]
        }

these are the configured env config vars:

PUBLIC_OIDC_AUTHORITY=http://localhost:8080/
PUBLIC_OIDC_CLIENT_ID=issuer1

Do you happen to know whats causing this? I think I misconfigured the mock container but I cannot seem to find what I need to change! Thank you very much!

tommytroen commented 2 weeks ago

@m1212e It looks like you are using the discovery functionality in openid-client, so you need to point the env var PUBLIC_OIDC_AUTHORITY to the .well-known endpoint in the mock-oauth2-server. Also the mock-oauth2-server main functionality is built around supporting multiple issuers with an issuerId, so the url should also contain an identifier for your particular issuer - e.g. http://localhost:8080/yourissuerid/. The identifier can be whatever you choose. So for your case I would put the following in your env var:

PUBLIC_OIDC_AUTHORITY=http://localhost:8080/default/.well-known/openid-configuration

m1212e commented 2 weeks ago

This is it, thanks so much!