Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Wrong error issued with OpenID Connect security schema #485

Open
cvgaviao opened this issue Mar 11, 2019 · 6 comments
Open

Wrong error issued with OpenID Connect security schema #485

cvgaviao opened this issue Mar 11, 2019 · 6 comments

Comments

@cvgaviao
Copy link

An OpenID Connect schema does require only two fields:

  securitySchemes:
    OpenIdC:  
      type: openIdConnect
      openIdConnectUrl: http://172.17.0.2:8080/.well-known/openid-configuration

Then in a Path we need to refer to a security schema using securitytag:

      security:
        - OpenIdC: 
          - admin   <------ error issued here

But editor is wrongly issuing an error as the schema were oAuth2: "admin" does not match any scope name defined in the OpenIdC security scheme.

@cvgaviao
Copy link
Author

cvgaviao commented Apr 8, 2019

Any developer could comment this issue ?

@tedepstein
Copy link
Collaborator

tedepstein commented Apr 8, 2019
edited

@cvgaviao , sorry for the delay. I have opened an issue here to get some clarification on the spec:

These other open issues suggest that OpenAPI may still be trying to figure out how to model the complex relationship between OIDC and OAuth, and the meaning of the scopes array in Security Requirements Object:

Maybe we'll see some refinements to this in future versions of the OpenAPI spec.

In the meantime, I think the safe thing to do is to limit the validation to apply only to security requirements for oauth2-typed security schemes. We will try to get this fix into the next patch release.

@tedepstein tedepstein mentioned this issue Apr 10, 2019
Merged
@cvgaviao
Copy link
Author

@tedepstein, I'm wondering here...
Wouldn't be possible the tool just to retrieve the scopes being provided by the openIdConnectUrl and validate against it?
What I understood is that the OpenId discovery path "/.well-known/openid-configuration" is aimed for something like that and all OID providers exposes it.

don't you think?

@tedepstein
Copy link
Collaborator

@cvgaviao , we would need to look more carefully at this. If this is required of all OID implementations, then it's possible to implement validation and/or code assist for OID scopes/roles.

For validation purposes, we generally don't rely on things outside of the OpenAPI document or the OpenAPI specification, unless it's directly referenced from the document as a $ref. So we'll be a bit cautious with this.

If you think validation and/or code assist for OID scopes would be valuable, could you please open a separate issue for it? I'd like to limit the scope of this issue to fixing the error condition.

@cvgaviao
Copy link
Author

cvgaviao commented Apr 13, 2019
edited

@tedepstein, for me actually just not throw an error when not providing a scope its ok for now.

But as I'm moving my application to OID, I investigated many OpenID Connect standard providers and all of then uses the /.well-known/openid-configuration

for example, take a look on the path provided by MS Azzure: https://login.windows.net/common/.well-known/openid-configuration

and for google: https://accounts.google.com/.well-known/openid-configuration

@tedepstein
Copy link
Collaborator

Thanks for that info, @cvgaviao .

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cvgaviao @tedepstein