-
Notifications
You must be signed in to change notification settings - Fork 401
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Okta OIDC discovery using client_id as query parameter #444
Comments
I guess #439 could also address this? |
Hey! Thanks for opening this issue. I've gone ahead and cleaned up #439. See #439 (comment) for some reasoning there. What's the issuer URL that's returned by these values? The spec is extremely clear about how to create the discovery URL:
https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig #333 was this package's solution for providers that go off spec with discovery. In this case, you can parse the values yourself and fill in the ProviderConfig struct: https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig Related: |
The issuer path is correct. The query parameter isn't part of the path, so the spec is not talking about the URL? |
Sorry, again would you mind letting me know what the issuer value okta returns is? The spec defines how to construct the well known URL from the issuer. So if my issuer is "https://login.example.com" the well known URL must be "https://login.example.com/.well-known/openid-configuration". If Okta is doing something different, that's fine, but it wouldn't be spec based. Have you opened an issue with them? |
There's a sample in the documentation links in my original report. |
Thanks. So given that the documentation says the issuer is "https://{youroktadomain}/". Based on my reading of the spec, the well-known URL MUST be "https://{youroktadomain}/.well-known/openid-configuration" If that's the wrong URL, please parse the metadata document yourself and use ProviderConfig to construct a provider. https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig Ideally if I'm misreading this report or if Okta does have an issue, it'd be helpful for this project to open a bug with Okta and link back here. Similar to what we've done with #344 Since this appears off spec, and go-oidc supports off spec providers through the ProviderConfig opened above, going to call this issue fixed. |
According to RFC3986, the query is not part of the path. |
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates coreos#445 Updates coreos#444 Updates coreos#439 Updates coreos#442 Updates coreos#344 Fixes coreos#290
This PR adds JSON tags to allow parsing a ProviderConfig directly from the OpenID Connect JSON metadata document. Since this is the preferred workaround for providers that don't support discovery in a spec-compliant way, such as returning the wrong issuer, or requiring a URL parameter, make this path easier and add an example to the godoc. Updates #445 Updates #444 Updates #439 Updates #442 Updates #344 Fixes #290
Okta is using the
client_id
query parameter to serve the OpenID Connect metadata.Can we get a way to have query parameters in the issuer?
https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/
https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/getWellKnownOpenIDConfiguration
The text was updated successfully, but these errors were encountered: