OpenID Connect Core 1.0 and Discovery 1.0 support
Limited to OpenID provider conformance profiles "Basic" and "Config":
- Support for features mandatory to implement for all OpenID Providers, not the feature set for Dynamic OpenID Providers
- Only Authorization Code Flow, no support for Implicit/Hybrid Flow
- Only code response type, no support for token/id_token
- Server metadata is served at /.well-known/openid-configuration
Additional/optional features:
- Support for "claims" parameter
- Support for standard scopes "profile" and "email"
- Support for non-standard scope/claim "groups" (in violation of RFC 9068)
Compatability with existing (working) uffd client setups: Authorization requests without the "openid" scope behave the same as before Prior to this change authorization requests with the "openid" scope were rejected by uffd.
This change adds direct dependencies to pyjwt and cryptography. Prior to this change both were already transitive dependencies of oauthlib.
Closes #155 (closed)
Merge request reports
Activity
assigned to @julian
ToDos:
- Refactor authorization code invalidation bug fix into a separate change (has minor security implications)
-
Refactor OAuth2 error handling changes into separate change - Find solution for Buster: oauthlib v3 made backwards-incompatible changes regarding it's OIDC support, Buster shipps v2.1.0, Bullseye/Bookworm ship v3.x.x
- Add tests for OIDC
- Add migrations
- Compatibility testing with a few OIDC client implementaions
The OpenID Foundation provides a conformance testing service for it's certification program. As far as I understand, it is possible to run the tests without requesting certification and paying the certification fee. If that is the case, I would like to complete these tests before merging this.
Edited by Julianmentioned in issue #155 (closed)
mentioned in merge request !156 (closed)
added 3 commits
-
be1de8b7...4457282d - 2 commits from branch
master - 1c2bc40b - OpenID Connect Core 1.0 and Discovery 1.0 support
-
be1de8b7...4457282d - 2 commits from branch
added 1 commit
- 490bf838 - OpenID Connect Core 1.0 and Discovery 1.0 support
added 2 commits
added 16 commits
-
16f5ae99 - 1 commit from branch
master - 16f5ae99...35728201 - 5 earlier commits
- 7630260c - Model tests and Buster compat
- a1824886 - cryptography compat fix for Buster and refactor of error handling
- 8beb3276 - Add migration
- 1f67b0ce - Make claims nullable
- 8df43c93 - Fix tests and migration
- 8df6a222 - Fix e8a2b30d
- 7758994e - Fix jwt pip dependency
- d1467e24 - Refactoring
- b038f29d - Ignore unknown scope values (as recommended in OIDC spec)
- ad1bd87a - Properly reject known but unsupported request/request_uri auth parameters
Toggle commit list-
16f5ae99 - 1 commit from branch
I just ran the conformance test suites (oidcc-test-plan and oidcc-config-certification-test-plan).
Note to myself, if I'm ever running that test suite again: Set the test alias to some random value. If left empty, each test case uses a different redirect uri and constantly changing them is pretty annoying.
Results for Basic profile (oidcc-basic-certification-test-plan):
-
oidcc-response-type-missingfailed with: 'error_description' field MUST NOT include characters outside the set %09-0A (Tab and LF) / %x0D (CR) / %x20-21 / %x23-5B / %x5D-7E -> TODO (quotation marks are not allowed) -
oidcc-scope-profilewarns: 'claims' in userinfo doesn't contain all scope items of scope in authorization request(corresponds to scope standard claims)` (missing items: website, zoneinfo, birthdate, gender, profile, given_name, middle_name, locale, picture, updated_at, family_name) -> this is expected since we don't have this data -
oidcc-scope-addressandoidcc-scope-phoneare skipped because we don't support the scopes and don't advertise support in the discovery document -
oidcc-scope-allis skipped because we don't support address and phone scopes -
oidcc-prompt-login,oidcc-prompt-none-not-logged-in,oidcc-prompt-none-logged-in,oidcc-max-age-1,oidcc-max-age-10000, are not completed because we don't support the prompt and max_age parameters -> this is a known limitation in our OIDC support to be addressed later -
oidcc-id-token-hintis not completed because it requires support for prompt parameter -
oidcc-ensure-request-with-acr-values-succeedswarns: An acr value was requested using acr_values, so the server 'SHOULD' return an acr claim, but it did not. -
oidcc-codereuse-30secondswarns that we don't revoke access tokens after authorization code reuse (SHOULD in OAuth2 spec) -> known limitation and unrelated to this change, to be addressed later -
oidcc-ensure-registered-redirect-urisucceeded but I didn't care to upload a screenshot of the redirect URI error page -
oidcc-ensure-request-object-with-redirect-urisucceeded (uffd displayed an invalid redirect_uri error), but I didn't care to upload a screenshot -
oidcc-refresh-tokenfailed because the token endpoint returns a refresh_token, but we don't support refresh tokens so the attempt to use it fails -> TODO
Results for Config profile (oidcc-config-certification-test-plan):
Edited by Julian-
I've fixed the
error_descriptionandrefresh_tokenissues above. In addition I added support forprompt=noneandid_token_hint.New conformance test results:
-
oidcc-response-type-missingPASSED -
oidcc-prompt-none-not-logged-inPASSED -
oidcc-prompt-none-logged-inPASSED -
oidcc-id-token-hintPASSED -
oidcc-refresh-tokenSKIPPED
The remaining limitations (
login,consentandselect_accountprompt values,max_ageparameter,auth_timeclaim) all relate to session age/freshness. This is cumbersome to implement without server-side sessions. Since migrating to server-side sessions is on the roadmap it's better to wait until that is done.-