Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Google authorization endpoint #45

Closed
GeorgianaElena opened this issue Jun 9, 2022 · 4 comments
Closed

Update Google authorization endpoint #45

GeorgianaElena opened this issue Jun 9, 2022 · 4 comments
Assignees
@terrencegf

Comments

@GeorgianaElena
Copy link
Contributor

Context

Issue

It seems that CILogon is using an old Google endpoint, which is http://google.com/accounts/o8/id as I didn't find any references of this endpoint in the Google docs.

I'm not familiar with the codebase, but the url above seems to be used a few times https://github.com/ncsa/OA4MP/search?q=http%3A%2F%2Fgoogle.com%2Faccounts%2Fo8%2Fid&type=code
@GeorgianaElena GeorgianaElena mentioned this issue Jun 9, 2022
Merged
7 tasks
@terrencegf
Copy link
Collaborator

I think I understand the issue. There needs to be a claim for the Google IdP URL that can be verified against a local configuration file ( as noted in CVE-2022-31027 ). The current "idp" claim in CILogon-issued tokens is "http://google.com/accounts/o8/id". This value is Google's original OAuth 1.0a endpoint. (CILogon has been around for over 10 years!) Since this value is used in the CILogon database as a key, is not practical to change this value. The alternative is to change Google's "EntityID" value from https://cilogon.org/idplist/ . I have created a CILogon Jira task to investigate this issue.

This was referenced Jun 15, 2022
Closed
Closed
@terrencegf
Copy link
Collaborator

terrencegf commented Jun 24, 2022
edited
Loading

In the CILogon TEST deployment (https://test.cilogon.org), I have updated the "entityID" values for the social Identity Providers (GitHub, Google, Microsoft, ORCID) as reported by https://test.cilogon.org/idplist/ to match the "idp" value from the OAuth2/OIDC "userinfo" endpoint.

(Note that these values are simply identifiers for CILogon and are not the actual OAuth2 authorization endpoints.)

This update still supports the old "entityID" values for the purposes of the "idphint" query parameter and skinning, e.g., https://test.cilogon.org/?idphint=https%3A%2F%2Faccounts.google.com%2Fo%2Foauth2%2Fauth . So no client-side changes are necessary if using optional query parameters (https://www.cilogon.org/oidc#h.p_IWGvXH0okDI_).

This update will be deployed to production mid-July.

@terrencegf
Copy link
Collaborator

The update has been deployed to https://cilogon.org . Please contact [email protected] if the update does not address this issue.

@GeorgianaElena
Copy link
Contributor Author

Thank you very much @terrencegf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@terrencegf terrencegf

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@terrencegf @GeorgianaElena