uchicago / shibboleth-oidc

OpenID Connect support for the Shibboleth Identity Provider v3
Apache License 2.0
81 stars 19 forks source link

Support for "id_token"? #55

Open lhoekenga opened 6 years ago

lhoekenga commented 6 years ago

The readme makes me think that id_token is supported, but we're seeing this in our logs:

2017-12-22 10:23:57,573 - DEBUG [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver:133] - xxx.xxx.xxx.xxx - Resolving exception from handler [public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(java.util.Map<java.lang.String, java.lang.Object>,java.util.Map<java.lang.String, java.lang.String>,org.springframework.web.bind.support.SessionStatus,java.security.Principal)]: error="unsupported_response_type", error_description="Unsupported response types: [id_token]"
2017-12-22 10:23:57,579 - DEBUG [org.springframework.web.servlet.mvc.method.annotation.ExceptionHandlerExceptionResolver:370] - xxx.xxx.xxx.xxx - Invoking @ExceptionHandler method: public org.springframework.web.servlet.ModelAndView org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.handleOAuth2Exception(org.springframework.security.oauth2.common.exceptions.OAuth2Exception,org.springframework.web.context.request.ServletWebRequest) throws java.lang.Exception
2017-12-22 10:23:57,579 - INFO [org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint:487] - xxx.xxx.xxx.xxx - Handling OAuth2 error: error="unsupported_response_type", error_description="Unsupported response types: [id_token]"
2017-12-22 10:23:57,642 - DEBUG [org.springframework.web.servlet.DispatcherServlet:1208] - xxx.xxx.xxx.xxx - Handler execution resulted in exception - forwarding to resolved error view: ModelAndView: reference to view with name '/error'; model is {error=error="unsupported_response_type", error_description="Unsupported response types: [id_token]"}
org.springframework.security.oauth2.common.exceptions.UnsupportedResponseTypeException: Unsupported response types: [id_token]
        at org.springframework.security.oauth2.provider.endpoint.AuthorizationEndpoint.authorize(AuthorizationEndpoint.java:128)
lhoekenga commented 6 years ago

The spec suggests that id_token should be valid for the Implicit flow: http://openid.net/specs/openid-connect-core-1_0.html#Authentication

Authentication can follow one of three paths: the Authorization Code Flow (response_type=code), the Implicit Flow (response_type=id_token token or response_type=id_token), or the Hybrid Flow (using other Response Type values defined in OAuth 2.0 Multiple Response Type Encoding Practices [OAuth.Responses]). The flows determine how the ID Token and Access Token are returned to the Client.

mmoayyed commented 6 years ago

Please see: https://github.com/spring-projects/spring-security-oauth/issues/702 https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/319

mmoayyed commented 6 years ago

If I remember correctly, to bypass this limitation you may want to try with id_token token. That might do it.