Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support for Okta OIDC discovery using client_id as query parameter #444

Closed
d1ss0nanz opened this issue Dec 23, 2024 · 7 comments
Closed

Comments

@d1ss0nanz
Copy link

Okta is using the client_id query parameter to serve the OpenID Connect metadata.

Can we get a way to have query parameters in the issuer?

https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/

https://developer.okta.com/docs/api/openapi/okta-oauth/oauth/tag/OrgAS/#tag/OrgAS/operation/getWellKnownOpenIDConfiguration

@d1ss0nanz
Copy link
Author

I guess #439 could also address this?

@ericchiang
Copy link
Collaborator

Hey! Thanks for opening this issue. I've gone ahead and cleaned up #439. See #439 (comment) for some reasoning there.

What's the issuer URL that's returned by these values? The spec is extremely clear about how to create the discovery URL:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig

#333 was this package's solution for providers that go off spec with discovery. In this case, you can parse the values yourself and fill in the ProviderConfig struct:

https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig

Related:

@d1ss0nanz
Copy link
Author

The issuer path is correct.

The query parameter isn't part of the path, so the spec is not talking about the URL?

@ericchiang
Copy link
Collaborator

Sorry, again would you mind letting me know what the issuer value okta returns is?

The spec defines how to construct the well known URL from the issuer. So if my issuer is "https://login.example.com" the well known URL must be "https://login.example.com/.well-known/openid-configuration".

If Okta is doing something different, that's fine, but it wouldn't be spec based. Have you opened an issue with them?

@d1ss0nanz
Copy link
Author

There's a sample in the documentation links in my original report.

@ericchiang
Copy link
Collaborator

Thanks. So given that the documentation says the issuer is "https://{youroktadomain}/". Based on my reading of the spec, the well-known URL MUST be "https://{youroktadomain}/.well-known/openid-configuration"

If that's the wrong URL, please parse the metadata document yourself and use ProviderConfig to construct a provider.

https://pkg.go.dev/github.com/coreos/go-oidc/v3/oidc#ProviderConfig

Ideally if I'm misreading this report or if Okta does have an issue, it'd be helpful for this project to open a bug with Okta and link back here. Similar to what we've done with #344

Since this appears off spec, and go-oidc supports off spec providers through the ProviderConfig opened above, going to call this issue fixed.

@d1ss0nanz
Copy link
Author

According to RFC3986, the query is not part of the path.
I would argue that your interpretation is too strict.

ericchiang added a commit to ericchiang/go-oidc that referenced this issue Jan 4, 2025
This PR adds JSON tags to allow parsing a ProviderConfig directly from
the OpenID Connect JSON metadata document. Since this is the preferred
workaround for providers that don't support discovery in a
spec-compliant way, such as returning the wrong issuer, or requiring a
URL parameter, make this path easier and add an example to the godoc.

Updates coreos#445
Updates coreos#444
Updates coreos#439
Updates coreos#442
Updates coreos#344
Fixes coreos#290
ericchiang added a commit to ericchiang/go-oidc that referenced this issue Jan 4, 2025
This PR adds JSON tags to allow parsing a ProviderConfig directly from
the OpenID Connect JSON metadata document. Since this is the preferred
workaround for providers that don't support discovery in a
spec-compliant way, such as returning the wrong issuer, or requiring a
URL parameter, make this path easier and add an example to the godoc.

Updates coreos#445
Updates coreos#444
Updates coreos#439
Updates coreos#442
Updates coreos#344
Fixes coreos#290
ericchiang added a commit to ericchiang/go-oidc that referenced this issue Jan 4, 2025
This PR adds JSON tags to allow parsing a ProviderConfig directly from
the OpenID Connect JSON metadata document. Since this is the preferred
workaround for providers that don't support discovery in a
spec-compliant way, such as returning the wrong issuer, or requiring a
URL parameter, make this path easier and add an example to the godoc.

Updates coreos#445
Updates coreos#444
Updates coreos#439
Updates coreos#442
Updates coreos#344
Fixes coreos#290
ericchiang added a commit that referenced this issue Jan 4, 2025
This PR adds JSON tags to allow parsing a ProviderConfig directly from
the OpenID Connect JSON metadata document. Since this is the preferred
workaround for providers that don't support discovery in a
spec-compliant way, such as returning the wrong issuer, or requiring a
URL parameter, make this path easier and add an example to the godoc.

Updates #445
Updates #444
Updates #439
Updates #442
Updates #344
Fixes #290
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants