zandbelt
commented
1 year ago that would break OpenID Connect compliance and result a completely insecure setup; you'll have to fix your broken Provider
Closed voronin-ilya closed 1 year ago
zandbelt
commented
1 year ago that would break OpenID Connect compliance and result a completely insecure setup; you'll have to fix your broken Provider
voronin-ilya
commented
1 year ago I understand that I am attempting to use OIDC code for OAuth 2.0 authorization tasks. Could this functionality possibly be implemented as a configuration option?
JanHuege
commented
12 months ago @zandbelt You sure about that? Openresty also breaks if id_token is missing on a token refresh response which is mentioned in the standard to be allowed to be missing here.
see: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
For example azure AD does not provide an id_token in its refresh reponses. As do many other IDPs.
We tried to check the lua code and It seems like the code is fine but still we run into 401s.
error.log also empty sadly.
zandbelt
commented
12 months ago that is a different question about a different grant type: indeed the code should allow for a response without an id_token from in the refresh grant type; from what I gather from the code it does so (as opposed to the authorization code exchange), and indeed if it wouldn't allow that it would have been flagged earlier since a lot of IDP do not return it (and IMHO should not...)
Environment
Expected behaviour
My OAuth provider does not include the
id_tokenin the token endpoint response. I expected lua-resty-openidc to handle such scenarios appropriately.Actual behaviour
The absence of
id_tokenin the response caused lua-resty-openidc to encounter anilerror. To resolve this, I had to modify the code as follows.https://github.com/voronin-ilya/lua-resty-openidc/commit/a14a19a830e1f5809eacdbb2e6c97552a049ccb0
Proposal
Introduce support for scenarios where
id_tokenis not present in the response.