OIDC Integration #382
OIDC Integration #382
Conversation
Spell Checker found issuesdoc/parameters.md
Generated by 🚫 Danger |
mikz
force-pushed
the
oidc-integration
branch
4 times, most recently
from
e92b5dd to
01aff0b
Compare
mikz
force-pushed
the
oidc-integration
branch
5 times, most recently
from
859d97c to
83ec731
Compare
| local config = res.headers.content_type == 'application/json' and cjson.decode(res.body) | ||
|
|
||
| if not config then | ||
| ngx.log(ngx.STDERR, 'failed to get OIDC Issuer Configuration from ', uri, ' status: ', res.status, ' body: ', res.body) |
There was a problem hiding this comment.
I'd suggest to change the log to ERR and move this to the TODO a few lines above.
And here log explicitly that that the config couldn't be parsed because the content is not a valid JSON.
| return jwt_obj, '[jwt] invalid alg' | ||
| end | ||
| -- TODO: this should be able to use DER format instead of PEM | ||
| local pubkey = format_public_key(self.config.public_key) |
There was a problem hiding this comment.
Maybe before formatting first check whether it's already in PEM format? (or maybe the format function itself should do it...)
There was a problem hiding this comment.
Why? We support only Keycloak and I could not find this in the spec. So looks like this might be keycloak specific.
If you have spec that defines this I'll be happy to validate the input.
There was a problem hiding this comment.
@mikz Hm, well, the code doesn't "say" that it's only Keycloak...
So, if we can make it more generic, and potentially make it work for any other IDP (even if not officially supported), that would be just great.
There was a problem hiding this comment.
I could not find spec for sharing the public key. I don't really have access to other IDPs. And zync supports only Keycloak.
We support only Keycloak initially. The code is made to support other implementations too, but we need spec for them. We don't have spec and don't want to support anything else than Keycloak initially. Once that changes this will change too.
I'm happy to modify this if I'd have at least example / spec of other IDPs.
show the code to add expecation
mikz
force-pushed
the
oidc-integration
branch
3 times, most recently
from
3bc2222 to
9378081
Compare
and remove RHSSO integration
OIDC integration expects the Client data are already in the IDP.
Then it just uses the OpenID Connect Discovery protocol to get the public key and verify the access token. The application id to report to backend is extracted from the JWT
azporaudfield. Once JWT is decoded and verified it is stored in local LRU cache that can fit 10000 entries per worker.APIcast does not communicate with the OpenID Connect Issuer for anything else than to get the certificate view the OpenID Connect Discovery. Clients are synchronised from 3scale to the IDP via http://github.com/3scale/zync.