OIDC confidential access type and Authorization Code Grant

[ll4strw]

OIDC confidential access type and Authorization Code Grant

Hello, I am testing the http api with keycloak. Is there a conf parameter that I can set in my config.json such that I can authenticate against an OpenID client with a pair (client_id, client_secret) as credentials? Is this a supported feature? Also, with the following conf in place

"openid_connect": {
                "provider_url": "http://localhost:8080/realms/iRODS/.well-known/openid-configuration",
                "client_id": "irods",
                "redirect_uri": "http://localhost:9000/irods-http-api/0.1.0/authenticate",
                "state_timeout_in_seconds": 600,
                "irods_user_claim": "preferred_username"
            }

and a public (no secret) oicd client, if I try the following

curl http://localhost:9000/irods-http-api/0.1.0/authenticate -v
*   Trying 127.0.0.1:9000...
* Connected to localhost (127.0.0.1) port 9000 (#0)
> GET /irods-http-api/0.1.0/authenticate HTTP/1.1
> Host: localhost:9000
> User-Agent: curl/7.81.0
> Accept: */*
> 
* Empty reply from server
* Closing connection 0
curl: (52) Empty reply from server

I get the following error in the http api logs

[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Header: (Host, localhost:9000)
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Header: (User-Agent, curl/7.81.0)
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Header: (Accept, */*)
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Method: GET
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Version: 11
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Target: /irods-http-api/0.1.0/authenticate
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Keep Alive: true
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Has Content Length: false
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Chunked: false
[2024-01-25 13:44:48.402] [P:1] [debug] [T:20] on_read: Needs EOF: false
[2024-01-25 13:44:48.402] [P:1] [error] [T:20] parse_url: curl_url_get(CURLUPART_QUERY) error: 16

keycloak v23.0.4
iRODS v4.3.1
irods-http-api v0.1.0

Do you know, by any chance, what I am doing wrong? Related to #139 and #165?

[MartinFlores751]

To get a working OIDC configuration, you would need to make the following changes:

-"openid_connect": {
+"oidc": {
-                "provider_url": "http://localhost:8080/realms/iRODS/.well-known/openid-configuration",
+                "config_host": "localhost",
+                "port": 8080,
+                "well_known_uri": "/realms/iRODS",
                "client_id": "irods",
                "redirect_uri": "http://localhost:9000/irods-http-api/0.1.0/authenticate",
                "state_timeout_in_seconds": 600,
-                "irods_user_claim": "preferred_username"
            }

So your OIDC configuration, using your given values, would look like the following:

"oidc": {
                "config_host": "localhost",
                "port": 8080,
                "well_known_uri": "/realms/iRODS",
                "client_id": "irods",
                "redirect_uri": "http://localhost:9000/irods-http-api/0.1.0/authenticate",
                "state_timeout_in_seconds": 600,
            }

Both provider_url and irods_user_claim are going to be 0.2.0 configuration items.

For documentation on HTTP API version 0.1.0, you can use the following link:
https://github.com/irods/irods_client_http_api/blob/0.1.0/README.md

Is there a conf parameter that I can set in my config.json such that I can authenticate against an OpenID client with a pair (client_id, client_secret) as credentials?

At the moment we only support public clients, but we are working on confidential client support using Client ID and Client Secret.

Do you know, by any chance, what I am doing wrong? Related to #139 and #165?

Yes, 0.1.0 is sensitive to the OIDC configuration you give. If there's something incorrect, it is likely to will encounter errors like this.