OpenID Connect support about oauth2-server-bundle HOT 21 CLOSED

+1

from oauth2-server-bundle.

The bundle does support it, but you will access the OpenID Connect functions by accessing the OAuth2\Server object directly. The bundle does not support any specific OpenID Connect functionality itself.

from oauth2-server-bundle.

I added some docs about how to set up OpenID Connect with this library. I hope this helps.

from oauth2-server-bundle.

Cheers buddy! I am playing with it already. Thanks a lot for all this. It is just great!

from oauth2-server-bundle.

Thanks for the feedback. Not sure why it took me so long to add the docs. Please let me know where your pain points have been and I'll fill the docs out more to help with them.

from oauth2-server-bundle.

Thanks, @bshaffer!

I'm having a bit of trouble with the token endpoint (or maybe I didn't quite understand the specs).

I've managed to setup the bundle to use OIDC.

To test it I installed oauth2-demo-php. After testing a bit, I'm unsure if the behavior is correct on the token endpoint since I'm not getting the ID Token when I click the Authorization Code button at the OpenID Connect tab.

The spec says:

In addition to the response parameters specified by OAuth 2.0,
the following parameters MUST be included in the response:

    id_token
        ID Token value associated with the authenticated session.

But the response is:

{
  "access_token":"707495ba376dd3b6795ea6d06bb2f88314c9d2d7",
  "expires_in":3600,
  "token_type":"Bearer",
  "scope":"openid",
  "refresh_token":"2e750f52d70f6f19ec5952ca81e90e5d6012fd64"
}

To make the bundle work for OpenID Connect I created a Compiler Pass that adds oauth2.storage.user_claims and oauth2.storage.public_key services to the oauth2.server storage arguments. This Compiler Pass also changes the config to enable use_openid_connect.

Did I miss anything?

from oauth2-server-bundle.

Hey there @guilhermednt!
Are you using oauth2-demo-php or oauth2-server-bundle in the case where it doesn't work? The bundle and the demo site are not compatible, as the bundle requires Symfony and the demo uses Silex. Could this be the root of your confusion?

from oauth2-server-bundle.

I have both:

1. a Symfony 2 app with the oauth2-server-bundle (it's my OpenID Provider) plus the stuff I did to make it accept OpenID Connect;
2. the oauth2-demo-php to interact with the Symfony app.

They are separate things...

from oauth2-server-bundle.

So you're using the client side of the demo app, and the server side is
Symfony. Sounds good. But without seeing the code you've made for the
Symfony app, it's impossible for me to help. I would suggest making sure
the OpenID classes and controllers are properly created in your
Oauth2\Server class for starters.
On Fri, Sep 18, 2015 at 1:13 PM Guilherme Donato [email protected]
wrote:

I have both:

1. a Symfony 2 app with the oauth2-server-bundle plus the stuff I did
   to make it accept OpenID Connect;
2. the oauth2-demo-php to interact with the Symfony app that will be
   an OpenID Provider.

—
Reply to this email directly or view it on GitHub
#38 (comment)
.

from oauth2-server-bundle.

Thank you very much for your attention, @bshaffer.

The code can be found mostly here.

Basically I created the compiler pass to add the storage classes that I couldn't override via parameters, not sure if I did it right though...

Also, I had to override the authorize endpoint to include the user id.

Does this seem ok to you?
Again, thanks for the help!

from oauth2-server-bundle.

Hmm... I unfortunately don't have time to debug this, but your configuration actually looks spot on. A few things I've found strange - none of my libraries seem to be in your composer.json file. Also, if you debug the $server object, can you confirm the compiler pass worked?

from oauth2-server-bundle.

The compiler pass seems to be working fine. I just debugged the $server to make sure. The lib is in the composer.json here.

I'm trying to find where the decision of sending an ID Token is being made but it's not very clear to me yet.

from oauth2-server-bundle.

The decision is made by instantiating the OpenID subclasses of various Controller, ResponseType, GrantType, and Storage objects. These can be created and added manually to your Server object (using setController, addGrantType, etc), or they should be done automatically when use_openid_connect is set to true.

One thing that could cause an issue is if those various classes were being created automatically by the Server ahead of time. But it appears you set the container arguments before the server is instantiated, so I don't see how this would be the problem.

See if the OpenID Authorization Code Grant Type ever gets executed, as this is where magic for the returning of the id_token happens in most cases.

from oauth2-server-bundle.

Hmm... This is not running. I'll take a look and try to find out why. If you have any suggestion it would be much appreciated.

Thanks for the help!

from oauth2-server-bundle.

If I were you, I would debug in the Server class first and make sure the proper OpenID classes get created.

https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L481
https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L490
https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L585
https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L594
https://github.com/bshaffer/oauth2-server-php/blob/develop/src/OAuth2/Server.php#L631

from oauth2-server-bundle.

Thanks! I'll take a look. One thing I noticed is that I had to override the oauth2.grant_type.authorization_code.class parameter to use OAuth2\OpenID\GrantType\AuthorizationCode but that wasn't enough since this condition is failing.

Thanks a LOT @bshaffer. I feel I'm in the correct path now.

from oauth2-server-bundle.

Aha... yeah, we may be forcing some conditions through the bundle container injection that are making the OpenID model fail. I will do some testing as well to investigate this.

from oauth2-server-bundle.

Good news! I may have solved this last issue. The problem was in my AuthorizationCode storage class. The method getAuthorizationCode() wasn't including the id_token in the array.

from oauth2-server-bundle.

@bshaffer, another question: should the nonce be present here?

I noticed it's not being forwarded to the id_token since the AuthorizeController expects the nonce in the query string. I just want to be sure if this is the right place to put the nonce.

Again, thanks for the help! Your libs are saving my life. hehe

from oauth2-server-bundle.

Ahh yes. OpenID Connect will still work for response_type=code without the nonce, but for response_type=id_token and response_type=id_token+token, we need the nonce to be passed in with the authorization request. I will submit a fix for this.

from oauth2-server-bundle.

fixed in 7fba812

from oauth2-server-bundle.