$ curl -X POST http://localhost:9080/sso
{"code":200,"msg":"Ok","data":"http://localhost:4444/oauth2/auth?client_id=trino_client_id&response_type=code&redirect_uri=http://localhost:9080/oidc/callback&scope=openid"}
state should be included in the OAuth request redirect.
It is required by the spec and some OAuth provider reject the request if state field is missing.
For example, Hydra returns the following error:
The state is missing or does not have enough characters and is therefore considered too weak. Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.
Things that are missing:
nonce
andstate
during authenticationI think what I'm going to do is reimplement the OIDC login using OAuth library (nimbusds).
Ref: https://github.com/trinodb/trino-gateway/blob/53ec04bd043fbb5a5d11c25472b091ba398b3608/gateway-ha/src/main/java/io/trino/gateway/ha/security/LbOAuthManager.java#L119
state
should be included in the OAuth request redirect. It is required by the spec and some OAuth provider reject the request ifstate
field is missing.For example, Hydra returns the following error:
The state is missing or does not have enough characters and is therefore considered too weak. Request parameter "state" must be at least be 8 characters long to ensure sufficient entropy.
Ref:
Implementation in Trino: https://github.com/trinodb/trino/blob/ae789c04f5995dcd87efe6b5e1862521c2ad6957/core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Service.java#L151