When a ID token is generated, it is now signed with RSA SHA-256. Only this type of signature will be supported as it is the only one that is mandatory to support for providers [0]. To test you need to get an access token with the 'Sign scope' (if the usage of PKCE is forced, add the mandatory parameters): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=openid&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token and an ID token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. The ID token will be signed. If you want to verify the token signature you can get the public key from the DB. Part of story #14714: be an OpenID Connect provider [0] https://openid.net/specs/openid-connect-core-1_0.html#ServerMTI Change-Id: I7926f61c583290cd31c00424e6dbc5c570b935d9

+415 −4

Author

Thomas Gerbet (tgerbet) 2020-04-07 15:18

Committer

Thomas Gerbet (tgerbet) 2020-04-07 15:18

Hash 59e2498af0cbdaa175b318be28ee5db7669ce3b8

Parent 05c549a931ce811753d397ec5e9664fc02f37cc9

Reference git #tuleap/stable/59e2498af0cbdaa175b318be28ee5db7669ce3b8