search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

discover not setting client parameters correctly #509

Closed yovasx2 closed 2 years ago

yovasx2 commented 2 years ago

Describe the bug When I instantiate a client with and issuer using discovery with this URL: https://controller.sandbox.myoneid.co.uk/.well-known/openid-configuration

the client doesn't get the correct cipher algorithm (PS256):

 Client {
  authorization_signed_response_alg: 'RS256',
  client_id: 'ba180c1f-be20-43cb-aa8f-3001797276b4',
  client_secret: 'a6f2c56f-98d4-47e6-8ba0-25af2f5d0231',
  grant_types: [
    'authorization_code'
  ],
  id_token_signed_response_alg: 'RS256',
  redirect_uris: [
    'http://localhost:9001/oneid/authorize/callback'
  ],
  response_types: [
    'code'
  ],
  token_endpoint_auth_method: 'client_secret_basic'
}

To Reproduce Issuer and Client configuration: (inline or gist) - Don't forget to redact your secrets.

// Issuer configuration (issuer.metadata) and how it is constructed (discovery or manual?)
// It's discovery: https://controller.sandbox.myoneid.co.uk/.well-known/openid-configuration

// Client configuration (client.metadata) and how it is constructed (fromUri or manual?)
const { Issuer, generators } = require('openid-client');
const { v4: uuid } = require('uuid');

Issuer.discover('https://controller.sandbox.myoneid.co.uk').then(i => {
  const client = new i.Client({
    client_id: 'xxxxxxxx',
    client_secret: 'xxxxxxxx',
    redirect_uris: ['http://localhost:9001/oneid/authorize/callback'],
    // id_token_signed_response_alg (default "RS256")
    // token_endpoint_auth_method (default "client_secret_basic") 
  });

  console.log(client);

  const code_verifier = generators.codeVerifier();
  const code_challenge = generators.codeChallenge(code_verifier);

  const state = uuid();
  const authorizationUrl = client.authorizationUrl({
    scope: 'openid email profile',
    code_challenge,
    code_challenge_method: 'PS256',
    state
  });
  console.log(authorizationUrl);
})

// And the console log of the client is:

Client {
  authorization_signed_response_alg: 'RS256',
  client_id: 'ba180c1f-be20-43cb-aa8f-3001797276b4',
  client_secret: 'a6f2c56f-98d4-47e6-8ba0-25af2f5d0231',
  grant_types: [
    'authorization_code'
  ],
  id_token_signed_response_alg: 'RS256',
  redirect_uris: [
    'http://localhost:9001/oneid/authorize/callback'
  ],
  response_types: [
    'code'
  ],
  token_endpoint_auth_method: 'client_secret_basic'
}

Steps to reproduce the behaviour:

  1. Use the Issuer.discovery with the URL above
  2. Instantiate a new client, observe the alg is RS256 instead of the supported one in the discovery url
  3. the client.callback is gonna failed with the error: unexpected JWT alg received, expected RS256, got: PS256

Expected behaviour The discovery must set PS256 instead of RS256 alg

Environment:

Additional context Add any other context about the problem here.

panva commented 2 years ago

AS discovery does not determine the constructed client metadata defaults.

I cannot imagine the pain debugging a problem stemming from an AS updating its metadata and something defaulting to a different or no value - leading to breakage or unintended behaviours.

Configure your client instances with explicit values.

yovasx2 commented 2 years ago

Got it, thx!