Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

select_preferred_auth may be choosing a method for which there are not required resources #351

Closed
danj3 opened this issue May 22, 2024 · 8 comments
Closed

select_preferred_auth may be choosing a method for which there are not required resources #351

danj3 opened this issue May 22, 2024 · 8 comments
Assignees
@maennchen
Labels
bug invalid

Comments

@danj3
Copy link
Contributor

danj3 commented May 22, 2024

oidcc version

3.2.0

Erlang version

26

Elixir version

1.16

Summary

Upon upgrade from 3.1.2 to 3.2 authorization url generation broke at attempt_par (resulting in HTTP 401/Authorization failed). The default available auth methods in oidcc_auth_util.erl:add_client_authentication, when not overridden by Opts will be used, however the client is only configured with a client_secret (for use with Basic or post methods), but the result was (one of) the JWT methods.

It seems some additional client configuration is needed to use the JWT methods (only based on the 401), so does the select_preferred_auth function need to consult the client configuration to determine if a method can be used. Alternatively, is it presumed that the client must always pass preferred_auth_methods if the IDP supports all of them but the client is only configured for a subset?

This problem may be a result of some knowledge deficit of the reporter and if so offers both apologies and request for steps to remedy.

Current behavior

Client configured with client_id and client_secret for create_redirect_url will fail authorization during PAR if the IDP supports JWT methods.

How to reproduce

configure client with client_id and client_secret without a JWT for auth.

Expected behavior

If only client_secret is in the client context/config, without a client_jwks, to detect and remove jwt auth methods during selection.
@danj3 danj3 added the bug label May 22, 2024
@maennchen
Copy link
Member

I'm a bit swamped at the moment.

@paulswartz Do you have some time to have a look by any chance?

@paulswartz
Copy link
Collaborator

I took a look, and it looks like Oidcc should be doing the right thing and bailing out of private_key_jwt if there are no keys present: https://github.com/erlef/oidcc/blob/main/src%2Foidcc_auth_util.erl#L183

@danj3 can you share any more about your configuration?

@danj3
Copy link
Contributor Author

danj3 commented May 29, 2024

I will put some debugging into the function you called out and report back.

@Stratus3D

This comment was marked as off-topic.

Sign in to view
@Stratus3D

This comment was marked as off-topic.

Sign in to view
@Stratus3D

This comment was marked as off-topic.

Sign in to view
@maennchen
Copy link
Member

@danj3 Did you figure anything out?

@maennchen maennchen self-assigned this Aug 5, 2024
@maennchen
Copy link
Member

Closing because of inactivity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@maennchen maennchen

Labels
bug invalid
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@paulswartz @maennchen @danj3 @Stratus3D