DeepDiver1975
commented
2 years ago In this case you need to provide the use-token-introspection-endpoint - please read about it in README.
Closed rizlas closed 2 years ago
DeepDiver1975
commented
2 years ago In this case you need to provide the use-token-introspection-endpoint - please read about it in README.
Hi, we encountered issue by enabling OIDC with auto-provisioning. We identified the source of the problem this part of your code
https://github.com/owncloud/openidconnect/blob/master/lib/SessionVerifier.php#L122
You assume that accessToken is JWT while according to OIDC specification accessToken could be an arbitrary string. This significantly limits the number of providers usable with the module, also limiting the compliancy to the specification. In particular we are using OIDC autoprovision with a Satosa gateway to bridge SAML federations to OIDC. We have been able to workaround the issue by commenting out from line 122 to 126.
We would like also to highlight that checking JWT validity after a number of interaction is a bit counterintuitive. The JWT validity check should be performed as soon the interaction starts.
HTH