Token endpoint expects client_id in request #20
Comments
May quite help with troubleshooting - e.g., UniversitaDellaCalabria/SATOSA-oidcop#20
|
Hi Vlad, thank you for this! OIDC Core 1.0 states that token endpoint should be protected with a client authentication if the requester is a confidential (not public) client. And, well, the client authentication can be private_key_jwt or all those listed in the section below (we may also support mTLS and so on, for the future ...) https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication as you can read in all the non normative examples in OIDC Core we have the client_id in the request. Well, we can say that if the authz header is Basic and client_id is there, well, we can take it from there, it would be But I don't see any The place where you can obtain the client_id (whatever it is and verified with a well known client authentication) is here, in ._load_cdb (cdb, acronym of client db) the door is open, we can do whatever we want with the software, now we just have to put here the right assumptions before doing the right thing I'd ask to @melanger to give his feedback on this proposal. |
|
Hi @peppelinux , Thanks for the detailed reply - and sorry, I see had not followed into the OAuth 2.0 specification. I now see that other client authentication methods would pass client_id ... and my client happened to use Basic Auth. And I see I should have included a direct link to the code using the The proposal ( Cheers, |
|
you can easily achieve that adding the support of the basic auth in ._load_cdb it will query mongo and load valid clients inmemory so you can intercept the client authz in that method and then the query on mongo will work every choice we'll take, we'll always prefer the simplest one |
|
Hi, it seems reasonable to me. I also experience some strange problems when varying the client authentication method, so this might be the fix. |
|
@vladimir-mencl-eresearch considering that you're working with basic auth, can you propose a PR to cover this feature? |
Support authorization_code lookup for clients with client_secret_basic authentication. If client_id is not provided as a request param, get it from basic auth. Fixes UniversitaDellaCalabria#20
|
Hi @peppelinux , PR #26 sent - please let me know what you think about it. Cheers, |
fix: get client_id also from Basic auth Support authorization_code lookup for clients with client_secret_basic authentication. If client_id is not provided as a request param, get it from basic auth. Fixes #20
|
🎉 This issue has been resolved in version 1.0.1 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
Hi,
I'm running a SATOSA deployment with OpenIDConnect (pyop) frontend and SAML2 backend.
Based on discussion in IdentityPython/pyop#39, I've tried using oidcop instead of pyop.
When testing this with an RP/client running mod_auth_openidc with
authorization_codegrant, I was gettingAnd from the logs, I could see SATOSA logging
After some digging, I found the
load_session_from_dbmethod insatosa_oidcop/core/storage/mongo.pywas not finding anything in MongoDB, because it was querying with_q={'authorization_code': 'Z0FBQU...5a', 'client_id': None}- withclient_idpopulated fromparse_req.get("client_id").The code expects to
client_idparam to be passed to the token endpoint, even though the OpenID Connect specification of Token Endpoint makes no mention of it.I was able to work around this by configuring the OP to send
client_idas an extra parameter:... but I believe this should be fixed in oidcop, removing the requirement to send client_id as an extra parameter.
Thanks a lot in advance for addressing this.
Cheers,
Vlad
The text was updated successfully, but these errors were encountered: