Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discovery issues / bug #32

Open
Timo614 opened this issue Feb 18, 2015 · 2 comments
Open

Discovery issues / bug #32

Timo614 opened this issue Feb 18, 2015 · 2 comments

Comments

@Timo614
Copy link

Timo614 commented Feb 18, 2015

It looks like the logic here is expecting a discover option but the option is for discovery:
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L129

When I enabled discovery (after updating that logic to discovery) I noticed my issuer was failing to be discovered because it was missing https here as this logic expects a full URI (https://github.com/nov/openid_connect/blob/master/lib/openid_connect/discovery/provider/config/resource.rb#L11):
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L79

When I added the https I noticed it failed here because the decoding expected the issuer to not have a protocol:
https://github.com/jjbohn/omniauth-openid-connect/blob/master/lib/omniauth/strategies/openid_connect.rb#L162

I noticed the readme shows an issuer without the protocol and given the openid configuration data from the discovery doc shows it without the https guessing it should be this way so the bug is probably just in that the discovery logic should append the protocol itself? (https://accounts.google.com/.well-known/openid-configuration)

New to OpenID Connect, sorry for the trouble.
@NobodysNightmare
Copy link
Contributor

I can confirm that this code does not work, when the issuer has no protocol specified. This is because host, path and part are nil for e.g. URI('localhost:5556').

@NobodysNightmare
Copy link
Contributor

After reading the OIDC spec again, I am pretty sure that the issuer should be specified including the scheme part.
As of the spec:

The iss value is a case sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

Since the issuer is also used to verify the ID token, those rules also have to apply here.

Therefore I suggest to update the README (currently reading: "e.g. issuer: "myprovider.com"") and expect the issuer to include the scheme part.

@NobodysNightmare NobodysNightmare mentioned this issue Mar 16, 2016
Merged
peregrinator pushed a commit to criticaljuncture/omniauth-openid-connect that referenced this issue Aug 28, 2019
@januszm @m0n9oose
Add support for response_type id_token (jjbohn#32)
3f52ccd 
* Add support for response_type id_token

* Simplify the response_type validation

* Remove unnecessary statements from README
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NobodysNightmare @Timo614