google doesn't accept nonce about omniauth-openid-connect HOT 12 CLOSED

I had to modify a few things to get Google's OpenID Connect to "work."

As you've pointed out, removing the nonce reference from the authorize_uri removed/fixed the nonce error from the Google request.

def authorize_uri
  client.redirect_uri = client_options.redirect_uri
  client.authorization_uri(
    response_type: options.response_type,
    scope: options.scope,
    #nonce: nonce,
  )
end

I had to also modify the access_token collector to set the :client_auth_method to something. If it's unset, it defaults to :basic which results in the access token request using an HTTP Basic Authorization header. Basically, I made the following change:

def access_token
  @access_token ||= client.access_token!(:client_auth_method => :query)
end

And finally - probably the most egregious of the bunch - I had to disable the validation performed on the userinfo response. Apparently there's a bug in Google's JSON response where they're sending a "true" string where it should be a boolean value.

extra do
  { raw_info: user_info.as_json(:skip_validation => true) }
end

from omniauth-openid-connect.

Oh, and you'll also want to be sure that your :client_options configured match those presented by Google's discovery endpoint:

{
  issuer: "accounts.google.com",
  authorization_endpoint: "https://accounts.google.com/o/oauth2/auth",
  token_endpoint: "https://accounts.google.com/o/oauth2/token",
  userinfo_endpoint: "https://www.googleapis.com/plus/v1/people/me/openIdConnect",
  revocation_endpoint: "https://accounts.google.com/o/oauth2/revoke",
  jwks_uri: "https://www.googleapis.com/oauth2/v2/certs",
  response_types_supported: [
    "ccode",
    "token",
    "id_token",
    "code token",
    "code id_token",
    "token id_token",
    "code token id_token",
    "none"
  ],
  subject_types_supported: [
    "public"
  ],
  id_token_alg_values_supported: [
    "RS256"
  ],
  token_endpoint_auth_methods_supported: [
    "client_secret_post"
  ]
}

With something similar to the following. I should also note that defining the :redirect_uri in an application start-up configuration file removes the ability to easily determine the actual application domain/host from the request. 😦

    :client_options => {
      :port => 443,
      :scheme => "https",
      :host => "accounts.google.com",
      :identifier => ENV["OIDC_GOOGLE_CLIENT_ID"],
      :secret => ENV["OIDC_GOOGLE_SECRET_KEY"],
      :redirect_uri => "http://localhost:3000/users/auth/google/callback",
      :authorization_endpoint => "/o/oauth2/auth",
      :token_endpoint => "/o/oauth2/token",
      :userinfo_endpoint => "https://www.googleapis.com/plus/v1/people/me/openIdConnect"
    }

from omniauth-openid-connect.

Yep. already dealt with this. Here's my ticket over on openid_connect :)
nov/openid_connect#9

from omniauth-openid-connect.

One solution is to make the nonce optional and use the state option in order for it not to lose any security.

from omniauth-openid-connect.

• Nonce is now optional with #12
• State will be available when #11 is merged

from omniauth-openid-connect.

You can now use state and nonce is optional. Will be updating docs soon.

from omniauth-openid-connect.

Did you ever release this? The latest version on rubygems (0.1.0) does not have state option. Also, I've tried the gem from master here and I'm still unable to make it work with Google. I'm using the client options provided above plus two additional options:

issuer: "https://accounts.google.com",
send_nonce: false,

Google returns the following error: "Client must specify either client_id or client_assertion, not both". I don't really know how all the internals work (rack-oauth2, openid_connect) so I'm stuck at this point.

from omniauth-openid-connect.

Hello,

Sorry to bring up an old issue here, but I'm trying to get omniauth-openid-connect to work with Google and am having some issues, bit of an OpenID Connect n00b here, hoping for a little help.

I'm using omniauth-openid-connect at the latest commit (b9246a0).

My initializers/omniauth.rb file currently looks like this:

Rails.application.config.middleware.use OmniAuth::Builder do
    provider :openid_connect,
    name: :google,
    scope: [:openid, :email, :profile, :address],
    response_type: :code,
    send_nonce: false,
    issuer: "https://accounts.google.com",
    client_auth_method: :query,
    client_options: {
      port: 443,
      scheme: "https",
      host: "accounts.google.com",
      identifier: "MY_ID",
      secret: "MY_SECRET",
      redirect_uri: "http://localhost:3000/auth/google/callback",
      authorization_endpoint: "/o/oauth2/auth",
      token_endpoint: "/o/oauth2/token",
      userinfo_endpoint: "https://www.googleapis.com/plus/v1/people/me/openIdConnect"
    }
end

When I initiate the auth request, I get to Google's consent screen OK (the screen where it says "My App would like to" etc.), I then click the "Accept" button and I get the error JSON::JWS::VerificationFailed. By the stack trace I can see that I get to the decode_id_token method, and then things start go wrong once omniauth-openid-connect passes off to ::OpenIDConnect::ResponseObject::IdToken.decode:

def decode_id_token(id_token)
    ::OpenIDConnect::ResponseObject::IdToken.decode(id_token, public_key)
end

I seem to be getting an id_token value back from Google OK but I've noticed that the public_key method is returning nil for me and I'm wondering if this has something to do with my problem. Can anyone provide some insight into what I need to do differently here in order to get things working?

I've tried adding discovery: true and/or jwks_uri: "https://www.googleapis.com/oauth2/v2/certs" in my onmiauth.rb, but neither seems to make a difference. Would I be correct in assuming that discovery is not necessary if options are being set manually?

from omniauth-openid-connect.

Yeah, discovery shouldn't be necessary. I'm not sure about your issue though. The error is getting raised here. And here's what can make that error come up. Do you options match this?

from omniauth-openid-connect.

I don't see that Google openly supports the address scope requested. I'm not sure if that is the cause of the issue, but according to their discoverable configuration, there is no address scope option:

scopes_supported: [
"openid",
"email",
"profile"
]

Also, it looks as though their preferred userinfo endpoint has changed (again, from the discoverable configuration link above):

userinfo_endpoint: "https://www.googleapis.com/oauth2/v3/userinfo"

from omniauth-openid-connect.

Thanks for the input guys. Taking into account this further info, I've given it one last good go here, but I can't get past the JSON::JWS::VerificationFailed error. My best guess is still that it has something to do with the public_key method returning nil and I don't know what config to provide in order to get the required value.

In any case, I've gone with the omniauth-google-oauth2 strategy for now (thanks for the suggestion @nbibler). I guess this option is less flexible if one wants to use providers other than Google but that it works with minimal config is enough for me at present, and one can always add other strategies later.

from omniauth-openid-connect.

I know it's an old issue and this is not even active anymore but just for googler's sake here goes the resolution.

The omniauth-google-oauth2 decodes the ID Token without verifying the signature.
That's why it works and omniauth-openid-connect doesn't. For this to work in omniauth-openid-connect you have to provide the necessary options to get the public key as you correctly assumed.

In the case of google this would be achieved through the following options:

client_signing_alg: :RS256
client_jwk_signing_key: '{ "keys": [ { "e": "AQAB", "use": "sig", "kty": "RSA", "alg": "RS256", ... }, ... ] }'

Where they key is coming from https://www.googleapis.com/oauth2/v3/certs.
With these options set the ID token is decoded and can be verified.

Using discovery with the jwks_uri endpoint set would also fix this issue presumably.

If you use :skip_verification as the public key parameter the decoding works as well.

from omniauth-openid-connect.