Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenId Validation Features without OAuth login handler(s) #439

Open
h4t0n opened this issue Nov 5, 2020 · 8 comments · May be fixed by #475
Open

OpenId Validation Features without OAuth login handler(s) #439

h4t0n opened this issue Nov 5, 2020 · 8 comments · May be fixed by #475
Assignees
@sdelamo
Labels
relates-to: jwt type: enhancement New feature or request

Comments

@h4t0n
Copy link

h4t0n commented Nov 5, 2020

I use Micronaut to validate a Google OpenID JWTs without needing the oauth login handler. I know that I can use jwks url with bearer token validation configuration. But for google the standard endpoint is the openid configuration, indeed jwks uri may change.

Is it possibile to use openid configuration only for token validation?
@sdelamo sdelamo added relates-to: jwt type: enhancement New feature or request labels Nov 9, 2020
@sdelamo
Copy link
Contributor

sdelamo commented Nov 9, 2020

I think we should support this.

how do you envision this to work @h4t0n ?

We could support:

micronaut:
  security:
    token:
      jwt:
        signatures:
          jwks:
            google:
              url: 'https://accounts.google.com/'
              type: 'openid-configuration'

and if you specify a type of openid-configuration we search for the jwks_uri exposed in the well-known/openid-configuration

or did you just want to have something like this:

micronaut:
  security:
    oauth2:
      clients:
        google: 
          client-id: '${OAUTH_CLIENT_ID}'  
          client-secret: '${OAUTH_CLIENT_SECRET}' 
          openid:
            issuer: 'https://accounts.google.com'

We probably need to add a claims validator to ensure we only accept tokens addressed to an OAuth 2.0 client.

@h4t0n
Copy link
Author

h4t0n commented Nov 9, 2020

What about something like that?

micronaut:
  security:
    oauth2:
      clients:
        google: 
          type: 'verify'
          client-id: '${OAUTH_CLIENT_ID}' 
          openid:
            issuer: 'https://accounts.google.com'

Because here we can use the client-id to validate only its tokens. And do we need the client-secret? I think it can be omitted to verify the token.

@sdelamo
Copy link
Contributor

sdelamo commented Nov 9, 2020

I agree with you, client_secret should not be necessary.

Probably, we should not require type: verify either.

@h4t0n
Copy link
Author

h4t0n commented Nov 9, 2020

The type 'verify' or something similar should be used to disable OAuth login endpoints probably. So it is clear that the OAuth2 configuration is only used to verify tokens.

@sdelamo sdelamo self-assigned this Nov 17, 2020
sdelamo added a commit that referenced this issue Nov 17, 2020
@sdelamo
feat: add openid issuer claims validator
7d14577 
See: #439
@sdelamo sdelamo mentioned this issue Nov 17, 2020
Merged
@sdelamo
Copy link
Contributor

sdelamo commented Nov 18, 2020

@h4t0n using authentication mode idtoken should be what you need. We already have a factory which registers the JWKS uri obtained through discovery:

JwksUriSignatureFactory

I've created a PR which includes a claims validator to validate that the aud claim contains the client_id, that the iss matches and for multiple audiences the azp.

So, you will just need:

micronaut:
  security:
    authentication: idtoken
    oauth2:
      clients:
        google: 
          client-id: '${OAUTH_CLIENT_ID}' 
          openid:
            issuer: 'https://accounts.google.com'

@h4t0n
Copy link
Author

h4t0n commented Nov 18, 2020

Sounds really good. So if I don't use the client-secret It means that no OAuth2 login/logout endpoint are created right?

jameskleeh pushed a commit that referenced this issue Nov 18, 2020
@sdelamo @ilopmar
feat: add idtoken claims validation for authentication mode idtoken (#…
d383412 
…456)

* feat: add openid issuer claims validator

See: #439

* test: issuer same as set in config

* test: claims validator can be disabled via config

* javadoc: better java doc for issuer

* Create a generic IdTokenClaimsValidator

* doc: improve docs

* user right bean name in tests

* doc: document how to disable it

Co-authored-by: Iván López <[email protected]>
sdelamo added a commit that referenced this issue Nov 28, 2020
@sdelamo
fix: no routes for OAuth 2.0 clients with nosecret
cf78e92 
close: #439
@sdelamo sdelamo linked a pull request Nov 28, 2020 that will close this issue
Open
@sdelamo
Copy link
Contributor

sdelamo commented Nov 28, 2020
edited
Loading

@h4t0n I have created a PR and a test to ensure the callback routes are not defined if you don't have a client secret:

see:

#475

@h4t0n
Copy link
Author

h4t0n commented Dec 1, 2020

@sdelamo thanks. Waiting for the merge then.

@sdelamo sdelamo removed their assignment Mar 1, 2022
@sdelamo sdelamo self-assigned this Nov 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sdelamo sdelamo

Labels
relates-to: jwt type: enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: no routes for OAuth 2.0 clients with nosecret micronaut-projects/micronaut-security
2 participants
@sdelamo @h4t0n