search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Question: client_credentials and forward flow #241

Closed ryzhman closed 4 years ago

ryzhman commented 4 years ago

I am implementing the OIDC flow for the first time for my app and would like to use your library as a plug and play. But have a few questions related to two flows I am going to implement:

  1. Client_credentials grant_type based on POST request to /connect/token IdP's endpoint. I can get the auth request working from another HTTP client, but in NodeJS nothing is returned and no logs are present. The redirectParams are empty since the tokenSet is passed back in the body. Here is the code for issuer:

                    issuer = Issuer.discover(DISCOVERY_ENDPOINT)
                .then((issuer) => {
                    client = new issuer.Client({
                        client_id: 'client',
                        client_secret: '@#$@',
                        grant_type: 'client_credentials',
                        scope: 'specific_scope'
                    });
                });

    and callback:

            const params = client.callbackParams(req);
        const tokenSet = await client.callback(params, {tokenSet: req.body})
            .then(function (tokenSet) {
                console.log('received and validated tokens %j', tokenSet);
                console.log('validated ID Token claims %j', tokenSet.claims());
            });
        res.send(tokenSet);

    Something seems to be missing and would be grateful for your help

  2. A bit more complex flow for Client_credentials grant_type;

    The request is forwarded from Tomcat to NodeJS app -> then it's forwarded to IdP -> after the successful authentication request is forwarded back to Tomcat with token_set.

I would like to employ openid-client to make the initial one-way request to IdP and don't expect anything to return. What is the best way to do it?

Thanks for your time

panva commented 4 years ago

1) use a method for executing arbitrary token endpoint grant calls. callback() is for, well, callback based flows.

2) i don't follow.

panva commented 4 years ago

If you found this helpful, please consider supporting the library if it turns out to provide value to you or your company. Supporting the library means, amongst other things, that such support will be available in the future.

ryzhman commented 4 years ago

@panva thanks for your response. grant worked perfectly. Is there any way to keep the client_credentials encapsulated in the client instance and avoid manual construction of the body for the grant request?

panva commented 4 years ago

You’re just providing the grant type and its required body payload. I don’t feel like there’s need for further encapsulation for these simple grants.

ryzhman commented 4 years ago

@panva One more question regarding obtaining the token set based on the authentication code: I use the implicit/hybrid flow and after the login, IdP sends back the access and id tokens with authCode (nonce is stored on IdP). But down the road, I need a refresh token so I do request a new token set via /token in Postman (with client _secret/id, code, grant_type = authorization_code, and original redirecturl). However, when I do a request from the OIDC-client I get an error with nonce validation (expected ... get ...). How can I pass it explicitly to the IdP with callback() call? Adding new property to the params didn't work out

panva commented 4 years ago

How can I pass it explicitly to the IdP with callback() call? Adding new property to the params didn't work out

You don't pass the nonce back to the IdP in the callback() call, you assert that the nonce you sent in initially is in the ID Token returned. Please read the callback method's docs. There's a whole argument object for these checks where nonce is called out.