erlef / oidcc Goto Github PK
View Code? Open in Web Editor NEWOpenId Connect client library in Erlang & Elixir
Home Page: https://hexdocs.pm/oidcc
License: Apache License 2.0
oidcc's People
Contributors
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
Stargazers
Watchers
Forkers
bwegh altworx rmoorman watts-kit choyuri lazedo nedap foeken glenn-mn12 koolquark fholzhauser dmihalcik-virtru jshmrtn sharpfin maennchen f3c0 roman-galeev lburgey deanzone driebit yurikoval ad-pro yordis fridayy paulswartz kristofka jozuas kianmeng matlaj mathijskr mohamedalikhechine silentsilasoidcc's Issues
Provider crashes on lost connection
oidcc_http_util line 40
solution: add providers with configuration in the supervisor, so a restart also reconfigures the provider.
so it still crashes yet gets restarted
Problems including as a dependency in a mix project
I'm trying to include this in a mix project as a dependency and am hitting some issues.
After adding to mix.exs like this:
defp deps do
[ . . .
{:oidcc, github: "indigo-dc/oidcc/"},
]
end
We got this error.
Dependencies have diverged:
* ranch (https://github.com/extend/ranch.git)
different specs were given for the ranch app:
> In deps/gun/rebar.config:
{:ranch, ~r/.*/, [git: "https://github.com/extend/ranch.git", ref: "master", manager: :rebar]}
> In deps/cowboy/rebar.config:
{:ranch, ~r/.*/, [git: "https://github.com/ninenines/ranch.git", ref: "1.0.0", manager: :rebar]}
Ensure they match or specify one of the above in your deps and set "override: true"
* cowlib (https://github.com/extend/cowlib.git)
different specs were given for the cowlib app:
> In deps/gun/rebar.config:
{:cowlib, ~r/.*/, [git: "https://github.com/extend/cowlib.git", ref: "1.3.0", manager: :rebar]}
> In deps/cowboy/rebar.config:
{:cowlib, ~r/.*/, [git: "https://github.com/ninenines/cowlib.git", ref: "1.0.0", manager: :rebar]}
Ensure they match or specify one of the above in your deps and set "override: true"
** (Mix) Can't continue due to errors on dependencies
So we tried overriding the dependencies like so:
defp deps do
[. . .
{:oidcc, github: "indigo-dc/oidcc/"},
{:ranch, ~r/.*/, [env: :prod, git: "https://github.com/extend/ranch.git", ref: "1.2.1", manager: :rebar, override: true]},
{:cowlib, ~r/.*/, [env: :prod, git: "https://github.com/extend/cowlib.git", ref: "1.3.0", manager: :rebar, override: true]},
]
end
which got all the deps succesfully but now it's failing here in mix compile:
==> jsx (compile)
Compiled src/jsx_verify.erl
Compiled src/jsx_to_term.erl
Compiled src/jsx_to_json.erl
Compiled src/jsx_encoder.erl
Compiled src/jsx_consult.erl
Compiled src/jsx_config.erl
Compiled src/jsx.erl
Compiled src/jsx_parser.erl
Compiled src/jsx_decoder.erl
Uncaught error in rebar_core: {'EXIT',
{function_clause,
[{code,which,
[{rebar3_lint,
{git,
"https://github.com/bwegh/rebar3_lint.git",
{branch,"master"}}}],
[{file,"code.erl"},{line,719}]},
{rebar_core,'-plugin_modules/3-lc$^0/1-0-',
1,
[{file,"src/rebar_core.erl"},{line,573}]},
{rebar_core,plugin_modules,3,
[{file,"src/rebar_core.erl"},{line,573}]},
{rebar_core,process_dir1,7,
[{file,"src/rebar_core.erl"},{line,244}]},
{rebar_core,process_commands,2,
[{file,"src/rebar_core.erl"},{line,93}]},
{rebar,main,1,
[{file,"src/rebar.erl"},{line,58}]},
{escript,run,2,
[{file,"escript.erl"},{line,757}]},
{escript,start,1,
[{file,"escript.erl"},{line,277}]}]}}
Do you have any suggestions on how to proceed? Thanks!
elixir --version
Erlang/OTP 19 [erts-8.0.2] [source] [64-bit] [smp:8:8] [async-threads:10] [hipe] [kernel-poll:false] [dtrace]
Elixir 1.3.2
enhance server verification during ssl handshake
by enhancing the ssl_verify_fun
refetch keys if an unknown keyid is encountered
enhance error message on login fail, add the provider
check for support for OpenID Connect Federation
better error handling on non 200 http reply
adjust conformance tests to master
also recheck if new tests are needed
implement dynamic registration of the client
this is also needed for #82
validate scopes_supported before starting a request
use ets to manage openid provider list
Support for signed userinfo
needs to be registered with
userinfo_signed_response_alg=RS256
(or similar supported JWT algorithm)
the userinfo will then be a JWT
update README regarding API
change from gun to httpc
this lowers the dependencies of oidcc.
performance is not much of a matter as the communication is only used for login and fetching the configuration.
cache results from OpenID provider
both, valid and invalid information for a configurable amount of time, max should be the lifetime of the token
support syncronisation of http requests through cache
Idea:
if 10 parallel request all need the same http request to be performed:
- first one will perform the request and mark it as cache-pending
- the others will also wait for the result of the first as the cache does not return on the call
- once the result gets cached all receive the result
missing certfile, wrapped as list?
should https://github.com/indigo-dc/oidcc/blob/master/src/oidcc_http_util.erl#L160 be returned as a list? I am getting an argument error with:
:lists.keysearch(:version, 1, [{:timeout, 300000} | {:error, :missing_cacertfile}])
setting for request_timeout needed
this enables setting the max duration for pending caches and ensure no timing issues.
add support for additional config being stored ad provider
get a conformance certification for the library
at least these profiles:
- code
- configuration
optional: - dynamic
add tests of removing crashed provider
allow either the issuer or the configuration endpoint to be given
as the configuration endpoint can be derived from the issuer and vice versa
both can be specified without causing issues.
allow only issuer with SSL (https)
also parse the scopes in the Token response
fetching userinfo with access token not possible
add parameter to Id Token verification, if 'none' algorithm is allowed
the none algorithm is only allowed when directly communicating with a provider via SSL
Implement sessions and callback
add session support for the complete handshake, so the library user can hand off the complete process to the library.
this will include:
- setting up a session per request and managing them.
- implementing a callback module for cowboy to be used for the redirection and when coming back
remove the need for timers
application/jwk+json
keys should be fetched with the above accepted encoding.
split oidcc core and cowboy calback into seperate libraries
so other erlang http servers can also be supported
reject userinfo with bad sub claim
unify api
unify the api, so future changes possibly won't need an api change
enhance introspection handling
change back to original rebar3_lint plugin
add field on oicc implementations
so arbitrary data can be passed on success and fail.
these can include implementation specific argument, like
- req for cowboy
- env for psycho
to be most generic it will be a map, which might or might not contain key/value pairs.
support hex.pm
at the moment not yet possible due to
https://github.com/erlware/uri
not yet on hex.pm
add hbp back to integration testing
possible once TLS issue is sorted out
handle missing Id token gracefully
there are OpenId Connect providers that somtimes do not send an id token, this must be handled in a nicer way
check grant_types_supported and response_type_supported
ensure it contains 'authorization_code' before marking a provider as ready
and response_type 'code'
add possibility to set a trusted certificate per provider
ensure the configuration gets loaded, esp if provider is down
ensure the issuer of a provider is equal to the issuer received by an IdToken
ensure only signature keys are used to verify the id token
use ets to manage oidcc_clients
id token validation fails if aud is a list with only one entry
the thrown error is: {error,azp_missing}
the causing line is:
https://github.com/indigo-dc/oidcc/blob/f833fe63c7504f76e77612e9c75a5d93852ab9be/src/oidcc_token.erl#L121
solution will be to change the test to validate also check that there are more than one entry in the list
add priority to the list of provider, so sorting is later possible
will be added automatically by order
increase timeout for the call 'update_and_get_keys'
might lead to a login failure if the keys need to be fetched during login
verify issuer by configuration endpoint
Following OpenId Connect discovery
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
possibility to specify scopes per provider
different providers might support different scopes so a way to add an openid provider with
a set of scopes would be very helpful.
change json library
from jsx to jsone, as it is RFC compliant and faster
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.