The CII OAuth server does not do a standard OAuth flow: in particular, 1) it does not utilize client keys and secrets and 2) it does not use an authorization code that gets exchanged for a token. In addition, the CII server returns a JWT which should be decoded to get the user's identity. This extension makes customizations to the authenticator's OAuth2-provider support to support CII's non-standard OAuth implementation.
The tasks in this issue are:
[x] update the custom_idp_config_schema with a "ciiObject" description; properties needed include login_url and jwt_decode_key, and update the code to recognize this new schema type (e.g., in TenantConfigsCache)
[x] Update the oauth2ext.py module to support the new cii type (instructions at top of module).
[x] modify the OAuth2ProviderExtCallback controller class to not try to generate an authorization code.
joestubbs
commented
2 years ago
The CII OAuth server does not do a standard OAuth flow: in particular, 1) it does not utilize client keys and secrets and 2) it does not use an authorization code that gets exchanged for a token. In addition, the CII server returns a JWT which should be decoded to get the user's identity. This extension makes customizations to the authenticator's OAuth2-provider support to support CII's non-standard OAuth implementation.
The tasks in this issue are: