APP: Doorkeeper OIDC mit PKCE funktioniert nicht #1075

amaierhofer · 2024-10-04T14:41:53Z

Aktuell funktioniert der OIDC Authorization Flow in der App nicht. Möglicherweise hängt es mit der von der App verwendenten PKCE Erweiterung zusammen.

Warum genau nach dem Login doorkeeper in die App zurück redirected (sacappdev://signin-oidc?error=login_required&error_description=The+authorization+server+requires+end-user+authentication&state=VL0uBHopjeSJ9I0MwevgwA) ist unklar.

Zum lokalen testen von oidc muss JWT_SIGNING_KEY gesetzt sein.

❯ openssl genpkey -algorithm RSA -out private_key.pem -pkeyopt rsa_keygen_bits:2048
❯ JWT_SIGNING_KEY=private_key.pem rails s

The text was updated successfully, but these errors were encountered:

amaierhofer · 2024-10-04T15:01:25Z

Bei Tests mit oidcdebugger.com scheint der PKCE Flow in Ordnung.

via applogin

{"method":"POST","path":"/en/users/sign_in","format":"html","controller":"Devise::Hitobito::SessionsController","action":"create","status":303,"allocations":39338,"duration":166.81,"view":0.0,"db":0.0,"location":"https://sac-cas.puzzle.ch/oauth/authorize","time":"2024-10-04 14:30:56 +0200","request_uuid":"e9d593ac-aba5-4b3b-a830-ce3c74bc5016","params":"{authenticity_token: '7hl1/6AyyOPpEP8QL0/X4Gee7iKE7iDJy1ga03SRv2k7PXvTKco01nM/I16NMg0PFqQQSFwq8BTaYVZyvSSg2g==', person: {login_identity: '[email protected]', password: '[FILTERED]', remember_me: '0'}, button: '', oauth: 'true', locale: 'en'}","user_id":600520}
{"method":"GET","path":"/oauth/authorize","format":"html","controller":"Doorkeeper::AuthorizationsController","action":"new","status":302,"allocations":14527,"duration":43.46,"view":0.0,"db":0.0,"location":"sacappdev://signin-oidc","time":"2024-10-04 14:30:56 +0200","request_uuid":"f82a5a84-c31b-40f3-831a-da583709dde0","params":"{redirect_uri: 'sacappdev://signin-oidc', client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', response_type: 'code', prompt: 'login', ui_locales: 'en-GB de-CH nb-NO fr-CH it-CH', state: 'qlNYjf3C5mFAJc2e7nP_9g', nonce: 'cU8TF2WgFDuSF3cbtiyh8w', scope: 'openid', code_challenge: 'tWcE8HbXpGPvg0pdZoQXOV4Fcy6QqfXJcOL4fAfT3s4', code_challenge_method: 'S256', language: 'en'}","user_id":600520}

via oidcdebugger

{"method":"POST","path":"/de/users/sign_in","format":"html","controller":"Devise::Hitobito::SessionsController","action":"create","status":303,"allocations":32208,"duration":182.22,"view":0.0,"db":0.0,"location":"https://sac-cas.puzzle.ch/oauth/authorize","time":"2024-10-04 16:58:21 +0200","request_uuid":"06f20fd5-99bf-41be-b975-d3eeeebe992f","params":"{authenticity_token: 'F1NxCpJb/oKEasU3zePY28sR5JhtgjfpiFySgjEJeeYDh2OKsms6yZxP8Xa6YV4GDKoINCExYWQWeNxNW/B7Cw==', person: {login_identity: '[email protected]', password: '[FILTERED]', remember_me: '0'}, button: '', oauth: 'true', locale: 'de'}","user_id":600000}
{"method":"GET","path":"/oauth/authorize","format":"html","controller":"Doorkeeper::AuthorizationsController","action":"new","status":302,"allocations":17161,"duration":52.97,"view":0.0,"db":0.0,"location":"https://oidcdebugger.com/debug#code=F0rtuJBO0vgaqNL1UijimdyHDglaDFx7radIQSK-JQQ&state=8isbempx1sw","time":"2024-10-04 16:58:21 +0200","request_uuid":"9d156855-d395-47bd-95f3-16e4731f70f5","params":"{client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', redirect_uri: 'https://oidcdebugger.com/debug', scope: 'openid', response_type: 'code', response_mode: 'fragment', code_challenge_method: 'S256', code_challenge: 'g85KMxdScHJIMmEklWA6LI9_uamv_PyNiC-REcgjd2k', state: '8isbempx1sw', nonce: 'qpcyxr1cuc'}","user_id":600000}
{"method":"POST","path":"/oauth/token","format":"*/*","controller":"Doorkeeper::TokensController","action":"create","status":200,"allocations":14551,"duration":48.63,"view":0.25,"db":0.0,"time":"2024-10-04 16:58:22 +0200","request_uuid":null,"params":"{client_id: 'Ve1whYs5mHxHCUOSoD2fi6MG5jQN4PgeI9NWawE9Klg', code: '[FILTERED]', code_verifier: 'K1l6OgZ1P5w8IT1XeRaLZkZr7ADadYhvsPaoDI6lxgA', grant_type: 'authorization_code', redirect_uri: 'https://oidcdebugger.com/debug'}"}

Nebem dem request format existieren folgende Unterschiede bei den parametern im /oauth/authorize GET request

[6] pry(main)> app.keys - oidc.keys
=> [:prompt, :ui_locales, :language]
[7] pry(main)> oidc.keys - app.keys
=> [:response_mode]

amaierhofer self-assigned this Oct 4, 2024

amaierhofer added interest-sac Sprint 12 labels Oct 4, 2024

amaierhofer changed the title ~~APP: Doorkeeper mit OIDC und PKCE tut nicht~~ APP: Doorkeeper mit OIDC und PKCE funktioniert nicht Oct 4, 2024

amaierhofer changed the title ~~APP: Doorkeeper mit OIDC und PKCE funktioniert nicht~~ APP: Doorkeeper OIDC mit PKCE funktioniert nicht Oct 4, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

APP: Doorkeeper OIDC mit PKCE funktioniert nicht #1075

APP: Doorkeeper OIDC mit PKCE funktioniert nicht #1075

amaierhofer commented Oct 4, 2024

amaierhofer commented Oct 4, 2024 •

edited

Loading

APP: Doorkeeper OIDC mit PKCE funktioniert nicht #1075

APP: Doorkeeper OIDC mit PKCE funktioniert nicht #1075

Comments

amaierhofer commented Oct 4, 2024

amaierhofer commented Oct 4, 2024 • edited Loading

amaierhofer commented Oct 4, 2024 •

edited

Loading