search

nuxt-community / auth-module

Zero-boilerplate authentication support for Nuxt 2
https://auth.nuxtjs.org
MIT License
1.93k stars 925 forks source link

For openIDConnect, clientSecret is not included in the request to exchange access token #1838

Closed captain-melanie closed 1 year ago

captain-melanie commented 1 year ago

Hi, I was trying to establish a connection with Okta via OpenID Connect and followed this doc https://auth.nuxtjs.org/schemes/openidconnect, but the doc doesn't define clientSecret. Isn't a clientSecret required? Where should I define this property?

Here's my current configuration:

auth: {
    response_type: 'id_token',
    redirect: {
      login: '/auth/notLoggedIn',
      callback: '/auth/signed-in',
    },
    strategies: {
      local: false,
      openIDConnect: {
        scheme: 'openIDConnect',
        clientId: process.env.OPENID_CLIENT_ID,
        clientSecret: process.env.OPENID_CLIENT_SECRET,
        endpoints: {
          configuration:
            'https://inform.okta.com/.well-known/openid-configuration',
        },
        token: {
          property: 'access_token',
          type: 'Bearer',
          maxAge: 1800,
        },
        responseType: 'code',
        grantType: 'authorization_code',
        scope: ['openid', 'profile', 'email'],
        codeChallengeMethod: 'S256',
        accessType: 'offline',
      },
    },
}

Although I put clientSecret in the config anyway, it's not included in the HTTP request https://inform.okta.com/oauth2/v1/token which exchanges the access token

Screenshot 2023-03-16 at 2 22 24 PM
MuhammadAlfianIzzah commented 1 year ago

same issue

stav3ng3r commented 1 year ago

Did you manage to figured out ? Facing the same problem.

captain-melanie commented 1 year ago

Hi @MuhammadAlfianIzzah @stav3ng3r , yeah turned out that my app doesn't need a client secret for connection because my associated OKTA app is set to be a single page application. There will be a login prompt provided by OKTA when connected successfully. Previously it was set to like a server-side app so it requires client ID and secret. Here's the working version of my config:

auth: {
    response_type: 'id_token',
    redirect: {
      login: 'login',
      callback: 'logged-in',
    },
    strategies: {
      okta: {
        scheme: 'openIDConnect',
        endpoints: {
          configuration: `${process.env.OKTA_DOMAIN}/.well-known/oauth-authorization-server`,
          authorization: `${process.env.OKTA_DOMAIN}/${process.env.OKTA_AUTHORIZATION_SERVER_ID}/v1/authorize`,
          token: `${process.env.OKTA_DOMAIN}/${process.env.OKTA_AUTHORIZATION_SERVER_ID}/v1/token`,
          userInfo: `${process.env.OKTA_DOMAIN}/${process.env.OKTA_AUTHORIZATION_SERVER_ID}/v1/userinfo`,
          logout: `${process.env.OKTA_DOMAIN}/${process.env.OKTA_AUTHORIZATION_SERVER_ID}/v1/logout`,
        },
        idToken: {
          property: 'id_token',
          maxAge: 60 * 60 * 24 * 30,
          prefix: '_id_token.',
          expirationPrefix: '_id_token_expiration.',
        },
        clientId: `${process.env.OKTA_CLIENT_ID}`,
        grantType: 'authorization_code',
        responseType: 'code',
        scope: ['openid', 'profile', 'offline_access'],
      },
    },
  },