Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): we should make fallback for client's tokenEndpointAuthMethod configurable #3473

Closed
yuriyz opened this issue Dec 30, 2022 · 4 comments · Fixed by #4033
Closed

feat(jans-auth-server): we should make fallback for client's tokenEndpointAuthMethod configurable #3473

yuriyz opened this issue Dec 30, 2022 · 4 comments · Fixed by #4033
Assignees
@yuriyz
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Milestone
1.0.9

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Dec 30, 2022
edited

Description

feat(jans-auth-server): we should make fallback for client's tokenEndpointAuthMethod configurable

Currently if tokenEndpointAuthMethod is absent AS always falls back to hardcoded client_secret_basic value.
@yuriyz yuriyz added comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Dec 30, 2022
@yuriyz yuriyz added this to the 1.0.6 milestone Dec 30, 2022
@yuriyz yuriyz self-assigned this Dec 30, 2022
@nynymike
Copy link
Contributor

I also wonder if an admin may want to allow a client to use several mechanisms.

image

According to this diagram, basic and post are pretty much the same from a security perspective. Also, perhaps an admin wants to just leave it up to the client developer how much security to use.

Is it possible to enable the support of multiple authn mechanims at the token endpoint?

@yuriyz
Copy link
Contributor Author

yuriyz commented Dec 30, 2022

Currently it's not possible but I will check how easy or hard to add such support.

We should also answer the question how do we pass multiple values
https://openid.net/specs/openid-connect-registration-1_0.html#RegistrationRequest

token_endpoint_auth_method
OPTIONAL. Requested Client Authentication method for the Token Endpoint. The options are client_secret_post, client_secret_basic, client_secret_jwt, private_key_jwt, and none, as described in Section 9 of [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-registration-1_0.html#OpenID.Core) [OpenID.Core]. Other authentication methods MAY be defined by extensions. If omitted, the default is client_secret_basic -- the HTTP Basic Authentication Scheme specified in Section 2.3.1 of [OAuth 2.0](https://openid.net/specs/openid-connect-registration-1_0.html#RFC6749) [RFC6749].

Since we still want to be compatible with standard Connect we can introduce additional token_endpoint_auth_methods (with s at the end which will be array of strings)

@nynymike
Copy link
Contributor

Are you suggesting that we leave the current token_endpoint_auth_method as is, and offer an alternative claim with different behavior? That would be ok. This isn't a super high priority... we've been living with this as is for years. It just seemed annoying to have to change the client config when changing between basic and post.

@moabu moabu modified the milestones: 1.0.6, 1.0.7 Jan 9, 2023
@moabu moabu modified the milestones: 1.0.7, 1.0.9 Mar 1, 2023
@yuriyz
Copy link
Contributor Author

yuriyz commented Mar 1, 2023
edited

Ok, I'm going to introduce additional_token_endpoint_auth_methods to highlight that main value is in token_endpoint_auth_method compatible with Connect and we provide ability to support more methods.

token_endpoint_auth_method vs token_endpoint_auth_methods is too confusing even in code.

yuriyz added a commit that referenced this issue Mar 2, 2023
@yuriyz
feat(jans-auth-server): introduced additional_token_endpoint_auth_met…
4719a5c 
…hod client's property #3473
@yuriyz yuriyz mentioned this issue Mar 2, 2023
Merged
3 tasks
yuriyz added a commit that referenced this issue Mar 3, 2023
@yuriyz
feat(jans-auth-server): applied additional_token_endpoint_auth_method…
4d1606b 
… to authentication filter, mtls and client service #3473
yuriyz added a commit that referenced this issue Mar 3, 2023
@yuriyz
feat(jans-auth-server): added additional_token_endpoint_auth_method t…
048189b 
…o registration request #3473
yuriyz added a commit that referenced this issue Mar 6, 2023
@yuriyz
feat(jans-auth-server): added validation for additional_token_endpoin…
962bf62 
…t_auth_method #3473
yuriyz added a commit that referenced this issue Mar 6, 2023
@yuriyz
feat(jans-auth-server): return additional_token_endpoint_auth_method …
d636794 
…in registration response #3473
yuriyz added a commit that referenced this issue Mar 6, 2023
@yuriyz
feat(jans-auth-server): fixed sonar reported issue #3473
1820243
yuriyz added a commit that referenced this issue Mar 7, 2023
@yuriyz
feat(jans-auth-server): added tests for additional_token_endpoint_aut…
198c42b 
…h_methods #3473
yuriyz added a commit that referenced this issue Mar 7, 2023
@yuriyz
feat(jans-auth-server): introduced additional_token_endpoint_auth_met…
79dcb60 
…hod client's property #3473 (#4033)

* feat(jans-auth-server): introduced additional_token_endpoint_auth_method client's property #3473

* feat(jans-auth-server): applied additional_token_endpoint_auth_method to authentication filter, mtls and client service #3473

* feat(jans-auth-server): added additional_token_endpoint_auth_method to registration request #3473

* feat(jans-auth-server): added validation for additional_token_endpoint_auth_method #3473

* feat(jans-auth-server): return additional_token_endpoint_auth_method in registration response #3473

* feat(jans-auth-server): fixed sonar reported issue #3473

* feat(jans-auth-server): added tests for additional_token_endpoint_auth_methods #3473
@mo-auto3 mo-auto3 mentioned this issue Mar 9, 2023
Merged
@mo-auto mo-auto mentioned this issue Mar 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
1.0.9
3 participants
@yuriyz @nynymike @moabu