OIDC login implementation isn't up to standard

[oneonestar]

Things that are missing:

• unique session token that holds state
• set and verify nonce and state during authentication

I think what I'm going to do is reimplement the OIDC login using OAuth library (nimbusds).

---

Ref: https://github.com/trinodb/trino-gateway/blob/53ec04bd043fbb5a5d11c25472b091ba398b3608/gateway-ha/src/main/java/io/trino/gateway/ha/security/LbOAuthManager.java#L119

$ curl -X POST http://localhost:9080/sso
{"code":200,"msg":"Ok","data":"http://localhost:4444/oauth2/auth?client_id=trino_client_id&response_type=code&redirect_uri=http://localhost:9080/oidc/callback&scope=openid"}

state should be included in the OAuth request redirect. It is required by the spec and some OAuth provider reject the request if state field is missing.

For example, Hydra returns the following error: The state is missing or does not have enough characters and is therefore considered too weak. Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.

Ref:

• https://developers.google.com/identity/openid-connect/openid-connect
• https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#openid-connect-and-oauth-20-overview
• https://datatracker.ietf.org/doc/html/draft-ietf-oauth-security-topics

Implementation in Trino: https://github.com/trinodb/trino/blob/ae789c04f5995dcd87efe6b5e1862521c2ad6957/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Service.java#L151