Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

token_endpoint_auth_methods_supported offers no choice in use #377

Open
M0rdent opened this issue Jun 23, 2023 · 6 comments
Open

token_endpoint_auth_methods_supported offers no choice in use #377

M0rdent opened this issue Jun 23, 2023 · 6 comments

Comments

@M0rdent
Copy link

M0rdent commented Jun 23, 2023
edited

https://github.com/jumbojett/OpenID-Connect-PHP/blob/45aac47b525f0483dd4db3324bb1f1cab4666061/src/OpenIDConnectClient.php#L927C1-L927C9

Hi.
If "token_endpoint_auth_methods_supported" on the sso server contains, but is not limited to, "client_secret_basic", then the script on this line tries to perform authorization only by this method. Without a choice, because on line 267 he assigns "client_secret_basic" by default.
OIDC on DSM 7.2 does not skip login/password authorization, because the Application is authorized, not the user.
It would be nice to add a variable which method to use.
I forcibly disabled the basic authorization method by commenting out lines 927-931.
But it won't help when updating)

Thank you.
@ricklambrechts
Copy link
Contributor

Does client_secret_basic not work?
What method do you want to use? client_secret_post?

@M0rdent
Copy link
Author

M0rdent commented Jun 26, 2023

Hi.
".well-known" gives 2 methods: basic and post.
"basic" does not pass.

@ricklambrechts
Copy link
Contributor

You could call $oidc->setTokenEndpointAuthMethodsSupported(['client_secret_post']);.
Before calling $oidc->authenticate();.

This sets the auth method to client_secret_post.

@M0rdent
Copy link
Author

M0rdent commented Jun 26, 2023

good. but
if "authenticate" sees $_REQUEST['code'], it runs "requestToken($code)" (line 325).
This method on line 913 requests the available methods:
$token_endpoint_auth_methods_supported = $this->getProviderConfigValue('token_endpoint_auth_methods_supported', ['client_secret_basic'])
since there is no saved data in "providerConfig", it will be received from the SSO server. which will say that there are basic and post methods.
And on line 927, the condition "find basic" matches.
or do I misunderstand the logic?

@ricklambrechts
Copy link
Contributor

This function handles that:

OpenID-Connect-PHP/src/OpenIDConnectClient.php

Lines 2053 to 2061 in 8ec206b

public function supportsAuthMethod(string $auth_method, array $token_endpoint_auth_methods_supported): bool
{
# client_secret_jwt has to explicitly be enabled
if (!in_array($auth_method, $this->token_endpoint_auth_methods_supported, true)) {
return false;
}
return in_array($auth_method, $token_endpoint_auth_methods_supported, true);
}

client_secret_basic is not in $this->token_endpoint_auth_methods_supported becasue of $oidc->setTokenEndpointAuthMethodsSupported(['client_secret_post']);. So the function returns false.

@M0rdent
Copy link
Author

M0rdent commented Jun 26, 2023

it helped me. Thanks)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ricklambrechts @M0rdent