stable

Clone or download

Read-only

Send a minimal ID token when requested

An ID token [0] is now send with the access token when a authorization code is exchanged. This ID token is only sent when the authorization grant has the 'Sign in' ('openid' identifier) scope. The given ID token is minimal: it only has the required claims set and is not signed. Also while the nonce and auth_time claim can be required is some situations they are never set at the moment. It has been chosen to never return an ID token when processing a refresh request. While the specification allows it [1] an ID token can be seen as an authentication event and when a refresh token there is no authentication of the user since the refresh token can outlive the user's session. Also, the information contained in the ID token regarding the user are unlikely to change often so there might be very little need to have access to it outside of the login phase. In any cases, it's easier to add it later than to remove it if people start depending on it. To test you need to get an access token with the 'Sign scope' (if the usage of PKCE is forced, add the mandatory parameters): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=openid&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token and an ID token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token Part of story #14714: be an OpenID Connect provider [0] https://openid.net/specs/openid-connect-core-1_0.html#IDToken [1] https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse Change-Id: Ibb7ce20ce9fa5dea32377b5285909494c8cd3663

Modified Files

Name
M plugins/oauth2_server/include/Grant/AccessTokenGrantRepresentationBuilder.php +17 −4 Go to diff View file
M plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2GrantAccessTokenFromAuthorizationCode.php +1 −0 Go to diff View file
M plugins/oauth2_server/include/Grant/OAuth2AccessTokenSuccessfulRequestRepresentation.php +30 −3 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/JWTBuilderFactory.php +36 −0 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreator.php +88 −0 Go to diff View file
M plugins/oauth2_server/include/oauth2_serverPlugin.php +7 −0 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/AccessTokenGrantRepresentationBuilderTest.php +58 −7 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/OAuth2AccessTokenSuccessfulRequestRepresentationTest.php +15 −0 Go to diff View file
A plugins/oauth2_server/phpunit/OpenIDConnect/IDToken/JWTBuilderFactoryTest.php +36 −0 Go to diff View file
A plugins/oauth2_server/phpunit/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreatorTest.php +102 −0 Go to diff View file