Comments (12)
I had to modify a few things to get Google's OpenID Connect to "work."
As you've pointed out, removing the nonce reference from the authorize_uri
removed/fixed the nonce error from the Google request.
def authorize_uri
client.redirect_uri = client_options.redirect_uri
client.authorization_uri(
response_type: options.response_type,
scope: options.scope,
#nonce: nonce,
)
end
I had to also modify the access_token collector to set the :client_auth_method
to something. If it's unset, it defaults to :basic
which results in the access token request using an HTTP Basic Authorization header. Basically, I made the following change:
def access_token
@access_token ||= client.access_token!(:client_auth_method => :query)
end
And finally - probably the most egregious of the bunch - I had to disable the validation performed on the userinfo response. Apparently there's a bug in Google's JSON response where they're sending a "true"
string where it should be a boolean value.
extra do
{ raw_info: user_info.as_json(:skip_validation => true) }
end
from omniauth-openid-connect.
Oh, and you'll also want to be sure that your :client_options
configured match those presented by Google's discovery endpoint:
{
issuer: "accounts.google.com",
authorization_endpoint: "https://accounts.google.com/o/oauth2/auth",
token_endpoint: "https://accounts.google.com/o/oauth2/token",
userinfo_endpoint: "https://www.googleapis.com/plus/v1/people/me/openIdConnect",
revocation_endpoint: "https://accounts.google.com/o/oauth2/revoke",
jwks_uri: "https://www.googleapis.com/oauth2/v2/certs",
response_types_supported: [
"ccode",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
subject_types_supported: [
"public"
],
id_token_alg_values_supported: [
"RS256"
],
token_endpoint_auth_methods_supported: [
"client_secret_post"
]
}
With something similar to the following. I should also note that defining the :redirect_uri
in an application start-up configuration file removes the ability to easily determine the actual application domain/host from the request. 😦
:client_options => {
:port => 443,
:scheme => "https",
:host => "accounts.google.com",
:identifier => ENV["OIDC_GOOGLE_CLIENT_ID"],
:secret => ENV["OIDC_GOOGLE_SECRET_KEY"],
:redirect_uri => "http://localhost:3000/users/auth/google/callback",
:authorization_endpoint => "/o/oauth2/auth",
:token_endpoint => "/o/oauth2/token",
:userinfo_endpoint => "https://www.googleapis.com/plus/v1/people/me/openIdConnect"
}
from omniauth-openid-connect.
Yep. already dealt with this. Here's my ticket over on openid_connect :)
nov/openid_connect#9
from omniauth-openid-connect.
One solution is to make the nonce optional and use the state option in order for it not to lose any security.
from omniauth-openid-connect.
from omniauth-openid-connect.
You can now use state and nonce is optional. Will be updating docs soon.
from omniauth-openid-connect.
Did you ever release this? The latest version on rubygems (0.1.0) does not have state option. Also, I've tried the gem from master here and I'm still unable to make it work with Google. I'm using the client options provided above plus two additional options:
issuer: "https://accounts.google.com",
send_nonce: false,
Google returns the following error: "Client must specify either client_id or client_assertion, not both". I don't really know how all the internals work (rack-oauth2, openid_connect) so I'm stuck at this point.
from omniauth-openid-connect.
Hello,
Sorry to bring up an old issue here, but I'm trying to get omniauth-openid-connect to work with Google and am having some issues, bit of an OpenID Connect n00b here, hoping for a little help.
I'm using omniauth-openid-connect at the latest commit (b9246a0).
My initializers/omniauth.rb file currently looks like this:
Rails.application.config.middleware.use OmniAuth::Builder do
provider :openid_connect,
name: :google,
scope: [:openid, :email, :profile, :address],
response_type: :code,
send_nonce: false,
issuer: "https://accounts.google.com",
client_auth_method: :query,
client_options: {
port: 443,
scheme: "https",
host: "accounts.google.com",
identifier: "MY_ID",
secret: "MY_SECRET",
redirect_uri: "http://localhost:3000/auth/google/callback",
authorization_endpoint: "/o/oauth2/auth",
token_endpoint: "/o/oauth2/token",
userinfo_endpoint: "https://www.googleapis.com/plus/v1/people/me/openIdConnect"
}
end
When I initiate the auth request, I get to Google's consent screen OK (the screen where it says "My App would like to" etc.), I then click the "Accept" button and I get the error JSON::JWS::VerificationFailed
. By the stack trace I can see that I get to the decode_id_token
method, and then things start go wrong once omniauth-openid-connect passes off to ::OpenIDConnect::ResponseObject::IdToken.decode
:
def decode_id_token(id_token)
::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
end
I seem to be getting an id_token
value back from Google OK but I've noticed that the public_key
method is returning nil
for me and I'm wondering if this has something to do with my problem. Can anyone provide some insight into what I need to do differently here in order to get things working?
I've tried adding discovery: true
and/or jwks_uri: "https://www.googleapis.com/oauth2/v2/certs"
in my onmiauth.rb, but neither seems to make a difference. Would I be correct in assuming that discovery is not necessary if options are being set manually?
from omniauth-openid-connect.
Yeah, discovery shouldn't be necessary. I'm not sure about your issue though. The error is getting raised here. And here's what can make that error come up. Do you options match this?
from omniauth-openid-connect.
I don't see that Google openly supports the address
scope requested. I'm not sure if that is the cause of the issue, but according to their discoverable configuration, there is no address
scope option:
scopes_supported: [
"openid",
"email",
"profile"
]
Also, it looks as though their preferred userinfo endpoint has changed (again, from the discoverable configuration link above):
userinfo_endpoint: "https://www.googleapis.com/oauth2/v3/userinfo"
from omniauth-openid-connect.
Thanks for the input guys. Taking into account this further info, I've given it one last good go here, but I can't get past the JSON::JWS::VerificationFailed
error. My best guess is still that it has something to do with the public_key
method returning nil
and I don't know what config to provide in order to get the required value.
In any case, I've gone with the omniauth-google-oauth2 strategy for now (thanks for the suggestion @nbibler). I guess this option is less flexible if one wants to use providers other than Google but that it works with minimal config is enough for me at present, and one can always add other strategies later.
from omniauth-openid-connect.
I know it's an old issue and this is not even active anymore but just for googler's sake here goes the resolution.
The omniauth-google-oauth2 decodes the ID Token without verifying the signature.
That's why it works and omniauth-openid-connect doesn't. For this to work in omniauth-openid-connect you have to provide the necessary options to get the public key as you correctly assumed.
In the case of google this would be achieved through the following options:
client_signing_alg: :RS256
client_jwk_signing_key: '{ "keys": [ { "e": "AQAB", "use": "sig", "kty": "RSA", "alg": "RS256", ... }, ... ] }'
Where they key is coming from https://www.googleapis.com/oauth2/v3/certs.
With these options set the ID token is decoded and can be verified.
Using discovery with the jwks_uri
endpoint set would also fix this issue presumably.
If you use :skip_verification
as the public key parameter the decoding works as well.
from omniauth-openid-connect.
Related Issues (20)
- acr_values defined as options but not passed HOT 1
- Discovery broken when the Provider returns a set of JWKs
- Verification failed if client signing algorithm is string
- UserInfo response subject must be verified HOT 1
- Option to disable SSL verification HOT 5
- Getting 401 Unauthorized on callback HOT 14
- Getting nil omniauth response hash HOT 15
- Update openid_connect version and push a release? HOT 5
- 422 Unprocessable Entity error retrieving token with `can't verify CSRF authenticity`
- How to merge custom parameter in authorize url
- Install gem on Rails 5 HOT 1
- After sign in with keycloak
- undefined method `auth_code' for #<OpenIDConnect::Client:0x00007fdc02c03f60> HOT 1
- undefined method `alias_method_chain' for Rack::OAuth2::Server::Authorize::Request:Class
- Invalid JSON Format HOT 2
- 404 page gitlab omniauth openid_connect HOT 1
- Execution Expired inside gem.
- allow multiple redirect_uri
- Please refer to the upgraded repository HOT 1
- RubyGems project name?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from omniauth-openid-connect.