Fix #532: OIDC: Implement activation using OAuth 2.0, openid scope

wultra / powerauth-restful-integration

Integration libraries used when building PowerAuth protected RESTful

GNU Affero General Public License v3.0

4 stars 4 forks source link

Fix #532: OIDC: Implement activation using OAuth 2.0, openid scope #547

Closed banterCZ closed 2 months ago

romanstrobl commented 2 months ago

We should also consider whether it would be beneficial to use existing libraries for fetching and validating tokens, see e.g.: https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenDecoderFactory.java https://github.com/spring-projects/spring-security/blob/main/oauth2/oauth2-client/src/main/java/org/springframework/security/oauth2/client/oidc/authentication/OidcIdTokenValidator.java

If it's not possible to reuse existing libraries, let's at least review that all validations done by existing libraries are present.

banterCZ commented 2 months ago

The authentication of token request is invalid, see:

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.1

The mentioned example is non-normative, but still a perfect catch. We have to support more authentication methods as described at https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

banterCZ commented 2 months ago

I think to add usage of /.well-known/openid-configuration is good. But as the OIDC Issuer can support discovery as option i.e. not mandatory. We need to keep possibility for explicit config

Thanks, a good point. Let's add a fallback to the manual configuration.