-
Notifications
You must be signed in to change notification settings - Fork 126
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenId Validation Features without OAuth login handler(s) #439
Comments
I think we should support this. how do you envision this to work @h4t0n ? We could support:
and if you specify a type of openid-configuration we search for the jwks_uri exposed in the well-known/openid-configuration or did you just want to have something like this:
We probably need to add a claims validator to ensure we only accept tokens addressed to an OAuth 2.0 client. |
What about something like that?
Because here we can use the client-id to validate only its tokens. And do we need the client-secret? I think it can be omitted to verify the token. |
I agree with you, Probably, we should not require |
The type 'verify' or something similar should be used to disable OAuth login endpoints probably. So it is clear that the OAuth2 configuration is only used to verify tokens. |
@h4t0n using authentication mode I've created a PR which includes a claims validator to validate that the So, you will just need: micronaut:
security:
authentication: idtoken
oauth2:
clients:
google:
client-id: '${OAUTH_CLIENT_ID}'
openid:
issuer: 'https://accounts.google.com' |
Sounds really good. So if I don't use the client-secret It means that no OAuth2 login/logout endpoint are created right? |
…456) * feat: add openid issuer claims validator See: #439 * test: issuer same as set in config * test: claims validator can be disabled via config * javadoc: better java doc for issuer * Create a generic IdTokenClaimsValidator * doc: improve docs * user right bean name in tests * doc: document how to disable it Co-authored-by: Iván López <[email protected]>
@sdelamo thanks. Waiting for the merge then. |
I use Micronaut to validate a Google OpenID JWTs without needing the oauth login handler. I know that I can use jwks url with bearer token validation configuration. But for google the standard endpoint is the openid configuration, indeed jwks uri may change.
Is it possibile to use openid configuration only for token validation?
The text was updated successfully, but these errors were encountered: