Comments (16)
Hi, ruby isn't my thing either. Discovery is set to false. I haven't found how to solve this but in the meantime I've disabled verification overriding the decode method with this code inside an intializer.
module OpenIDConnect
class ResponseObject
class IdToken < ConnectObject
class << self
def decode(jwt_string, key)
Rails.logger.debug jwt_string
Rails.logger.debug key
if key == :self_issued
decode_self_issued jwt_string
else
new JSON::JWT.decode jwt_string, :skip_verification
end
end
end
end
end
end
from omniauth_openid_connect.
I did something similar. I revert this commit and it works now. Following the logic in that file I'm 90% sure the problem is related to the JWKS_URI not being called or loading the public key data with discovery off.
But that said, reverting that validation does allow the signing to work.
And I haven't figured out how to change the ruby code to load the public key properly :-/
from omniauth_openid_connect.
I'm having this issue too and I found that there seems to be a config that's not documented: client_signing_alg
as I looked from here: https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L265-L276
but even though I tried this configuration, the verification didn't work. The client_options.secret
config supposed to be the client secret or something else? Pardon my limited knowledge on OAuth.
from omniauth_openid_connect.
I have the same issue. My provider does not expose a jwks endpoint, so I have discovery set to false and client_auth_method set to basic. However the id token is still being verified (and fails)
I was able to use OP's monkeypatch workaround without issue.
from omniauth_openid_connect.
My 2 cents here, seems there is another option client_jwk_signing_key
that can contains the json content of the jwks endpoint (used in test file):
A bit hacky, but should work.
===
Then, regarding this issue, I have some pointers.
The lines that are concerned are the following I guess:
As the config.jwks is a result of an OIDC discovery, it will be null if discover==false
So basically, jwks_uri is never used when discover is set to false. If I understand well the code, would add an switch branch there:
when :RS256, :RS384, :RS512
if options.jwks_uri
# Call the remote endpoint and return the jwks here.
elsif options.client_jwk_signing_key
parse_jwk_key(options.client_jwk_signing_key)
elsif options.client_x509_signing_key
parse_x509_key(options.client_x509_signing_key)
end
@m0n9oose I am literally discovering the library, so I don't feel comfortable fixing it. But this is an issue I am facing too, so if no one more experienced with it can handle it next week, will try a PR.
from omniauth_openid_connect.
Having a similar problem. By any chance do you have discovery set to false? Because I'm thinking the jwks_uri doesn't get used if discovery is off. But I'm still in the middle of debugging. Haven't figure it out yet (ruby isn't my strong suite).
from omniauth_openid_connect.
Same problem here I can't use discovery: true
as my provider named the configuration file .well-known/wallet-openid-configuration
instead of .well-known/openid-configuration
.
In my point of view we should be able to set jwks_uri
even with discovery: false
.
from omniauth_openid_connect.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from omniauth_openid_connect.
In response to the stale bot: we're prevented from upgrading to 0.3.5 due to this issue I think. Seems like patching out checks isn't the best way to proceed ... but I don't see what is the best solution.
from omniauth_openid_connect.
Well we know what the issue is. Just none of us know Ruby well enough to write a proper fix :-/
Best we can do is poke the maintainer or hopefully someone else comes along. But the issue was introduced in #44 so at least we know how to work around for the moment.
from omniauth_openid_connect.
#89 solves the issue for me.
@m0n9oose Can you take a look?
from omniauth_openid_connect.
I've pulled the changes in #89 into our fork:
- Rubygems: https://rubygems.org/gems/gitlab-omniauth-openid-connect
- Home page: https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect
from omniauth_openid_connect.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from omniauth_openid_connect.
It would be nice if we could get this merged. Itβs troublesome manually patching things :-/
from omniauth_openid_connect.
Oh gitlab forked the project?
from omniauth_openid_connect.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
from omniauth_openid_connect.
Related Issues (20)
- Allow relaxing state check for IdP initiated SSO HOT 6
- Automatically set (and send?) redirect_uri HOT 2
- Dynamically Set ACR Values HOT 3
- OneLogin OIDC post_logout_redirect_uri issue HOT 3
- OpenID-provider without `userinfo_endpoint`
- Uninitialized constant json::jws::unknownalgorithm HOT 1
- Pitfalls setting up OIDC with ADFS HOT 2
- Why should the logout path be relative to request_path
- Possible bug when upgrading to 0.7.0 and openid_connect to 2.2.0 HOT 2
- When using jwks_uri, default value fails becuase it's not a URI
- OmniAuth::Strategies::OpenIDConnect::CallbackError, csrf_detected | Invalid 'state' parameter HOT 3
- Authentication failure! no implicit conversion of Hash into String (version 0.6.1) HOT 3
- Migration guide from gitlab-omniauth-openid-connect to this gem? HOT 4
- Problem using microsoft oauth2 as provider because of dynamic issuer HOT 22
- Dynamic client_options.redirect_uri value HOT 3
- Could not authenticate you from [My Provider name] because "Unknown" HOT 3
- Actioncontroller::InvalidAuthenticityToken with omniauth_openid_connect and omniauth-rails_csrf_protection HOT 1
- How not to send the `state` parameter? HOT 21
- Getting a routing error after initialization HOT 3
- Back-channel Single Sign Out Support
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from omniauth_openid_connect.