Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

Send a minimal ID token when requested

Download Browse

An ID token [0] is now send with the access token when a authorization code is exchanged. This ID token is only sent when the authorization grant has the 'Sign in' ('openid' identifier) scope. The given ID token is minimal: it only has the required claims set and is not signed. Also while the nonce and auth_time claim can be required is some situations they are never set at the moment. It has been chosen to never return an ID token when processing a refresh request. While the specification allows it [1] an ID token can be seen as an authentication event and when a refresh token there is no authentication of the user since the refresh token can outlive the user's session. Also, the information contained in the ID token regarding the user are unlikely to change often so there might be very little need to have access to it outside of the login phase. In any cases, it's easier to add it later than to remove it if people start depending on it. To test you need to get an access token with the 'Sign scope' (if the usage of PKCE is forced, add the mandatory parameters): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=openid&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token and an ID token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token Part of story #14714: be an OpenID Connect provider [0] https://openid.net/specs/openid-connect-core-1_0.html#IDToken [1] https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse Change-Id: Ibb7ce20ce9fa5dea32377b5285909494c8cd3663

+390 −14
Thomas Gerbet (tgerbet) 2020-04-06 17:38
Thomas Gerbet (tgerbet) 2020-04-06 17:55
08c77ef6b94d130e1ab745304979839302cda460
583fba998f88228923e7e766e5fc620e51790ea5
git #tuleap/stable/08c77ef6b94d130e1ab745304979839302cda460

Modified Files

Side by side diff
Inline diff
Name
M plugins/oauth2_server/include/Grant/AccessTokenGrantRepresentationBuilder.php +17 −4 Go to diff View file
M plugins/oauth2_server/include/Grant/AuthorizationCode/OAuth2GrantAccessTokenFromAuthorizationCode.php +1 −0 Go to diff View file
M plugins/oauth2_server/include/Grant/OAuth2AccessTokenSuccessfulRequestRepresentation.php +30 −3 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/JWTBuilderFactory.php +36 −0 Go to diff View file
A plugins/oauth2_server/include/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreator.php +88 −0 Go to diff View file
M plugins/oauth2_server/include/oauth2_serverPlugin.php +7 −0 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/AccessTokenGrantRepresentationBuilderTest.php +58 −7 Go to diff View file
M plugins/oauth2_server/phpunit/Grant/OAuth2AccessTokenSuccessfulRequestRepresentationTest.php +15 −0 Go to diff View file
A plugins/oauth2_server/phpunit/OpenIDConnect/IDToken/JWTBuilderFactoryTest.php +36 −0 Go to diff View file
A plugins/oauth2_server/phpunit/OpenIDConnect/IDToken/OpenIDConnectIDTokenCreatorTest.php +102 −0 Go to diff View file