You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I open this issue because I try to connect the CMS with a self hosted oidc server.
The oidc server is implemented using oidc-provider developed by panva
which is the same author of openid-client used by your openid. But I'm not able to login a user because your openid auth implementation is incomplete.
Let me explain the problem ;)
To Reproduce
The openid client get metadata with the /.well-known/openid-configuration to get all routes to get authorization url/token and to control the access_token delivered by the OIDC server.
One of the option returned by the well-known is authorization_response_iss_parameter_supported.
{"issuer":"http://localhost","jwks_uri":"http://localhost/jwks","authorization_response_iss_parameter_supported": true,/// this options enable an extra control from openid-client"authorization_endpoint":"http://localhost/authorize"}
This option, enable a specific control performed by openid-client, during the callback (to get a token in exchange of the code). The ref code is here:
Describe the Bug
Hello teams,
First thing, your cms is amazing! Great works.
I open this issue because I try to connect the CMS with a self hosted oidc server.
The oidc server is implemented using oidc-provider developed by panva
which is the same author of openid-client used by your openid. But I'm not able to login a user because your openid auth implementation is incomplete.
Let me explain the problem ;)
To Reproduce
The openid client get metadata with the
/.well-known/openid-configuration
to get all routes to get authorization url/token and to control the access_token delivered by the OIDC server.One of the option returned by the well-known is
authorization_response_iss_parameter_supported
.This option, enable a specific control performed by openid-client, during the callback (to get a token in exchange of the code). The ref code is here:
https://github.com/panva/node-openid-client/blob/main/lib/client.js#L415
And call this verify here in the OpenID Auth provider:
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L132
But this control shouldn't be triggered if the
iss
is available in given parameters here:From the OIDC spec, the
iss
is given at the same time with the code and state in the callback redirection:iss seems to be mandatory by openid-client. But the fix is pretty easy. adding the correct mapping solve the issue:
Here:
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L134
and here:
https://github.com/directus/directus/blob/main/api/src/auth/drivers/openid.ts#L337
This addition, improve the security flow between an OIDC server and a directus cms instance.
I hope my fix suggestion will help you. I also make a PR to help you!
See you
Hosting Strategy
Self-Hosted (Docker Image)
The text was updated successfully, but these errors were encountered: