lscorcia
commented
4 years ago Ok, reading the code I found out about the send_scope_to_token_endpoint option which uses the standard behaviour when set to false (default is true).
It would probably be useful to set this default value to false (standard compliant), and adding some documentation about that.
m0n9oose
Hi, I'm not a Ruby dev but I stumbled on this when trying to configure for OpenID Connect integration a Gitlab server instance. In my scenario, I have a Gitlab server which internally uses Omniauth and Omniauth_openid_connect (v. 0.3.3) to talk to an OpenAM server (both of those are the latest available versions as of today, i.e. Gitlab CE 12.7.6 and OpenAM 14.4.3, open source editions). I have opened an issue on the Gitlab tracker and the support redirected me here.
After setting up the required parameters, the login process fails with the following error:
Could not authenticate you from OpenIDConnect because "Invalid request :: scope parameter is not supported on an authorization code access token exchange request. scope parameter should be supplied to the authorize request."Indeed, according to the relevant section of the OpenID Specifications (https://tools.ietf.org/html/rfc6749#section-4.1.3, https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest), the scope attribute is not allowed in token requests, but it seems like it is always populated by this library.
The authentication process via OpenID Connect using code flow relies on three http calls:
Gitlab(Browser) -> OpenID(Server): GET to authorization endpoint OpenID(Server) -> Browser(Gitlab): browser redirect to OpenID Connect callback Gitlab(Server) -> OpenID(Server): POST to token endpoint
The first two calls complete successfully, but the third POST has an extra scope parameter that should not be there when grant_type is authorization_code.
To reproduce: configure a local instance of OpenAM (https://github.com/OpenIdentityPlatform/OpenAM/) or other local standards-compliant OpenID Connect implementation (the main online social login platforms sometimes have quirks or accept non-standard requests), try to login.