Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: no routes for OAuth 2.0 clients with nosecret #475

Open
wants to merge 1 commit into
base: 5.0.x
Choose a base branch
from
Open

fix: no routes for OAuth 2.0 clients with nosecret #475

wants to merge 1 commit into from

Conversation

sdelamo
Copy link
Contributor

@sdelamo sdelamo commented Nov 28, 2020
edited
Loading

close: #439

When would you want an OAuth 2.0 Client with no secret? You want to have the minium security configuration in place to be able to validate idtokens.

E.g. you have two services

[Gateway]

[Repository]

Gateway has the config:

micronaut:
  security:
     authentication: idtoken
     oauth2:
        clients:
            cognito:
               client-id: 'xxx'
               client-secret: 'xxx'
               openid:
                    issuer: 'https://blablaba'

The gateway does the authorization code grant flow with cognito and gets an idtoken.

To communicate with repository service it passes the id token as a bearer token.

Repository does not need callback routes. It just needs the minimum config to register the JWKS endpoint obtained via cognito well-know/openid-configuration to be able to validate the idtoken the gateway includes in the request headers.

This will be the config for repository:

micronaut:
  security:
     authentication: idtoken
     oauth2:
        clients:
            cognito:
               client-id: 'xxx'
               openid:
                    issuer: 'https://blablaba'

@sdelamo sdelamo added the type: improvement A minor improvement to an existing feature label Nov 28, 2020
@sdelamo sdelamo requested a review from jameskleeh November 28, 2020 15:52
@sdelamo sdelamo mentioned this pull request Nov 28, 2020
Open
@sdelamo
Copy link
Contributor Author

sdelamo commented Dec 21, 2020

@jameskleeh could you review this ?

@jameskleeh
Copy link
Contributor

jameskleeh commented Dec 21, 2020
edited
Loading

@sdelamo To me this is better implemented by supporting an issuer property in JwksSignatureConfigurationProperties

micronaut.security.token.jwt.signatures.jwks.*.openid-issuer: 'https://blablaba'

That is more clear what the intent is and doesn't require additional checks in the oauth logic

@sdelamo
Copy link
Contributor Author

sdelamo commented Dec 22, 2020

We need the client-id in addition to the issuer because we need to validate the claims to avoid accepting every token issued by google for example.

When you are in authentication mode idtoken, we create an id token Claims validator.

we could support:

micronaut.security.token.jwt.signatures.jwks.*.oauth2-openid-issuer: 'https://blablaba'
micronaut.security.token.jwt.signatures.jwks.*.oauth2-client-id: 'XXXX'

And I could create a claims validator for each JwksSignature with such configuration.

@jameskleeh thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jameskleeh jameskleeh Awaiting requested review from jameskleeh

Assignees
No one assigned
Labels
type: improvement A minor improvement to an existing feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OpenId Validation Features without OAuth login handler(s)
2 participants
@sdelamo @jameskleeh