Closed wingyplus closed 3 years ago
That would be great!
Looks like they support OIDC which is very easy to add an integration for. You can take a look at the Azure AD integration (ignoring the tenant logic), and the docs for OIDC base integration:
https://github.com/pow-auth/assent/blob/master/lib/assent/strategies/azure_ad.ex https://github.com/pow-auth/assent/blob/master/lib/assent/strategies/oidc/base.ex
For the tests I usually copy values from the provider documentation: https://github.com/pow-auth/assent/blob/master/test/assent/strategies/azure_ad_test.exs#L6
@danschultzer Thanks for your inform. I'll read and open PR today. :)
@danschultzer LINE Login use HS256 for ID Token. How do we change alg to use HS256 instead of RS256?
@danschultzer since LINE Login use alg HS256 for ID Token. After I try passing params to the callback I received error like this:
{:error, "`alg` in ID Token can only be \"RS256\""}
After read and inspecting code. I found that error come from OIDC.validate_id_token/2
in step verify_alg/2
after passing verify_jwt/3
which's returns alg HS256 in the header. Is it should be check HS256 in verify_alg/2
or need another option to make it work on HS256?
It's work fine if we set id_token_signed_response_alg
in openid_configuration but it's requires another configuration to make it works. This is sample configuration that it's works for me:
def default_config(_config) do
[
site: "https://access.line.me",
authorization_params: [scope: "email profile", response_type: "code"],
openid_configuration: %{
"id_token_signed_response_alg" => ["HS256"],
"issuer" => "https://access.line.me",
"authorization_endpoint" => "https://access.line.me/oauth2/v2.1/authorize",
"token_endpoint" => "https://api.line.me/oauth2/v2.1/token",
"jwks_uri" => "https://api.line.me/oauth2/v2.1/certs"
}
]
end
I need to set this manually because well known openid configuration doesn't returned id_token_signed_response_alg
:
$ curl https://access.line.me/.well-known/openid-configuration
{
"issuer": "https://access.line.me",
"authorization_endpoint": "https://access.line.me/oauth2/v2.1/authorize",
"token_endpoint": "https://api.line.me/oauth2/v2.1/token",
"jwks_uri": "https://api.line.me/oauth2/v2.1/certs",
"response_types_supported": [ "code" ],
"subject_types_supported": [ "pairwise" ],
"id_token_signing_alg_values_supported": [ "ES256" ]
}
Do you have any suggestion?
Yeah, found out the handling of the response alg was incorrect. It was a bit difficult to understand from the RFC:
- The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id_token_signed_response_alg parameter during Registration.
But I looked at other OIDC implementations, and setting it as a configuration option seems to be the way to do it. #59 handles that, and I've refactored #58 to use the new configuration option so we don't need to set the open id config manually. I'll get a new release out shortly!
It would be good to see it support LINE OAuth Provider (https://developers.line.biz/en/services/line-login/). I can open PR if you're all agree.