Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add userinfo_endpoint provider metadata to discovery endpoint #888

Closed
wants to merge 1 commit into from
Closed

Add userinfo_endpoint provider metadata to discovery endpoint #888

wants to merge 1 commit into from

Conversation

wiliamsouza
Copy link

This adds userinfo_endpoint provider metadata to discovery endpoint .well-known/openid-configuration.
and make it editable in config file.

This is used for some smart OpenID connect authentication to provide user data profile or infomations.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata

wiliamsouza
wiliamsouza commented Apr 3, 2017
View reviewed changes
server/handlers.go
Scopes []string `json:"scopes_supported"`
AuthMethods []string `json:"token_endpoint_auth_methods_supported"`
Claims []string `json:"claims_supported"`
UserInfoEndpoint string `json:"userinfo_endpoint"`
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe add omitempty here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary since it is only a "recommended" attribute.

rithujohn191
rithujohn191 reviewed Apr 3, 2017
View reviewed changes
cmd/dex/config.go
@@ -47,7 +47,8 @@ type Config struct {
// StaticPasswords cause the server use this list of passwords rather than
// querying the storage. Cannot be specified without enabling a passwords
// database.
StaticPasswords []password `json:"staticPasswords"`
StaticPasswords []password `json:"staticPasswords"`
UserInfoEndpoint string `json:"userInfoEndpoint"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Plz add a comment to describe the UserInfoEndpoint. A link to https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata would also be helpful.

server/handlers.go
Scopes []string `json:"scopes_supported"`
AuthMethods []string `json:"token_endpoint_auth_methods_supported"`
Claims []string `json:"claims_supported"`
UserInfoEndpoint string `json:"userinfo_endpoint"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not necessary since it is only a "recommended" attribute.

@ericchiang
Copy link
Contributor

@rithujohn191 we don't implement this feature #376 Why would we return it in the metadata?

@rithujohn191
Copy link
Contributor

I was under the impression that the claims in ID Token could serve the info needed. Sorry about that. That would make #376 a pre-requisite for this PR.

@wiliamsouza
Copy link
Author

This metadata is useful when you already have this endpoint implemented as other service. For now I'm solving this in other place ByteInternet/drf-oidc-auth#20.
To make it clear the use case for userinfo_endpoint is.

                                                  +------------------------------------------+
                                                  |      populate OAuth clients              |
                                                  |      users login and passwords           |
                                                  |                                   +------+------+
                                                  |                                   |             |
                                                  |                                   | sellers api <----------+
                                 2       +--------v-------+                           |             |          |
                          request token  |                |                           +-------------+          |
                        +----------------> openid connect |                                                    |
                        |                |                <------------------------------------------------+   |
                        |                +-----+---^------+              7 validate id_token               |   |
                        |                      |   |                       with oidc provider              |   |
                        |                      |   |                                                       |   |         8
              1         |                      |   |                                                       |   | retrieve userinfo
            authN       |             3        |   |                                                       |   | from users rest api
+--------+  authZ  +----+----+      receive    |   |    5                             +--------------+     |   |
|        |         |         |   token and jwt |   | validate                    jwt  |              +----->   |
| seller +--------->  webapp <-----------------+   | token                     +------> products api |     |   |
|        |         |         |                     |                           |      |              +--------->
+--------+         +----+----+                     |                           |      +--------------+     |   |
                        |                          |                           |                           |   |
                        |                          |                           |                           |   |
                        |                          |                           |                           |   |
                        |                          |                           |      +------------+       |   |
                        |                          |                           | jwt  |            +-------+   |
                        |                          |                           +------> orders api |           |
                        |                          |                           |      |            +-----------+
                        |                          |                           |      +------------+
                        |        4      +----------+--+                        |
                        |       use     |             |           6            |
                        +---------------> api gateway +------------------------>
                          token and jwt |             |
                                        +-------------+
                                    Do access_token offload
                                    bypass id_token only

I'm in doubt what to do with this PR. feel free to close it.

@rithujohn191
Copy link
Contributor

We have been getting a lot of requests to support the user info endpoint but the general idea seems to be that users want this feature so that they can avoid the use of tokens. Which might not be the best practice in terms of security.

I will go ahead and close out this PR for now until we make a final decision regarding the user info endpoint. Thanks again for sending this in.

@wiliamsouza
Copy link
Author

In our case we use the same JWT token to get userinfo from endpoint. When you make a decision let me know I would love to help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rithujohn191 rithujohn191 rithujohn191 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wiliamsouza @ericchiang @rithujohn191