Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Spec violation: .well-known/openid-configuration must not be a redirect, return JSON directly #20

Closed
felix-schwarz opened this issue May 22, 2019 · 7 comments
Closed

Spec violation: .well-known/openid-configuration must not be a redirect, return JSON directly #20

felix-schwarz opened this issue May 22, 2019 · 7 comments
Assignees
@sharidas

Comments

@felix-schwarz
Copy link

felix-schwarz commented May 22, 2019
edited
Loading

Description

According to the OpenID Connect Discovery 1.0 spec, .well-known/openid-configuration must return a 200 OKHTTP status response and the JSON directly:

4.2. OpenID Provider Configuration Response

A successful response MUST use the 200 OK HTTP status code and return a JSON object using the application/json content type that contains a set of Claims as its members that are a subset of the Metadata values defined in Section 3.

Current

The test server returns 301 Moved Permanently, redirects to http://10.0.5.69:8080/index.php/apps/openidconnect/config and returns a text/html response.

Expected

The test server returns a 200 OK application/json response with the set of claims.

Version
This was referenced Jun 7, 2019
Closed
Merged
@patrickjahns
Copy link
Contributor

Having a look if a proxy pass as rewrite will work https://httpd.apache.org/docs/2.4/rewrite/proxy.html

@patrickjahns
Copy link
Contributor

@felix-schwarz

I can not reproduce the text/html issue - when issuing a curl I get a json response

curl -v http://10.254.254.254:8080/index.php/apps/openidconnect/config
*   Trying 10.254.254.254...
* TCP_NODELAY set
* Connected to 10.254.254.254 (10.254.254.254) port 8080 (#0)
> GET /index.php/apps/openidconnect/config HTTP/1.1
> Host: 10.254.254.254:8080
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Wed, 24 Jul 2019 09:18:49 GMT
< Server: Apache
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
< X-Frame-Options: SAMEORIGIN
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Set-Cookie: ocef16v6ftaf=mdm1gcpev8khdpmgt27rfn6ft5; path=/; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-cache, must-revalidate
< Pragma: no-cache
< Set-Cookie: oc_sessionPassphrase=PVy1PgrY3k4gZj%2FZEkSeMUIE6%2BoBumj6lr3aumcpeqxmPKpuNW6a1EbC4I%2F9DX4HSSeb5dYULA%2BqFy7D766i3nzzN%2BRH%2BFPZDQdssW8KUbiPFkPhVWCwg1AdZyRwOBq4; path=/; HttpOnly
< Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
< Content-Length: 3519
< Content-Type: application/json; charset=utf-8
<
* Connection #0 to host 10.254.254.254 left intact
{"acr_values_supported":["urn:mace:incommon:iap:bronze"],"authorization_endpoint":"http:\/\/10.254.254.254:3000\/auth","claims_parameter_supported":true,"claims_supported":["sub","address","email","email_verified","phone_number","phone_number_verified","birthdate","family_name","gender","given_name","locale","middle_name","name","nickname","picture","preferred_username","profile","updated_at","website","zoneinfo","acr","sid","auth_time","iss","amr"],"code_challenge_methods_supported":["S256"],"end_session_endpoint":"http:\/\/10.254.254.254:3000\/session\/end","grant_types_supported":["implicit","authorization_code","refresh_token","urn:ietf:params:oauth:grant-type:device_code"],"id_token_signing_alg_values_supported":["HS256","PS256","RS256","ES256","EdDSA"],"issuer":"http:\/\/localhost:3000","jwks_uri":"http:\/\/10.254.254.254:3000\/jwks","registration_endpoint":"http:\/\/10.254.254.254:3000\/reg","request_object_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"request_parameter_supported":true,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"response_modes_supported":["form_post","fragment","query","web_message"],"response_types_supported":["code id_token","code","id_token","none"],"scopes_supported":["openid","offline_access","address","email","phone","profile"],"subject_types_supported":["public","pairwise"],"token_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt"],"token_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"token_endpoint":"http:\/\/10.254.254.254:3000\/token","userinfo_endpoint":"http:\/\/10.254.254.254:3000\/me","userinfo_signing_alg_values_supported":["HS256","PS256","RS256","ES256","EdDSA"],"introspection_endpoint":"http:\/\/10.254.254.254:3000\/token\/introspection","introspection_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt"],"introspection_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"revocation_endpoint":"http:\/\/10.254.254.254:3000\/token\/revocation","revocation_endpoint_auth_methods_supported":["none","client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt"],"revocation_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"id_token_encryption_alg_values_supported":["A128KW","A256KW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A256KW","RSA-OAEP"],"id_token_encryption_enc_values_supported":["A128CBC-HS256","A128GCM","A256CBC-HS512","A256GCM"],"userinfo_encryption_alg_values_supported":["A128KW","A256KW","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A256KW","RSA-OAEP"],"userinfo_encryption_enc_values_supported":["A128CBC-HS256","A128GCM","A256CBC-HS512","A256GCM"],"request_object_encryption_alg_values_supported":["A128KW","A256KW","RSA-OAEP","ECDH-ES","ECDH-ES+A128KW","ECDH-ES+A256KW"],"request_object_encryption_enc_values_supported":["A128CBC-HS256","A128GCM","A256CBC-HS512","A256GCM"],"check_session_iframe":"http:\/\/10.254.254.254:3000\/session\/check","backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"device_authorization_endpoint":"http:\/\/10.254.254.254:3000\/device\/auth","claim_types_supported":["normal"],"service_documentation":"https:\/\/github.com\/panva\/node-oidc-provider","version":"6.2.0"}

@felix-schwarz
Copy link
Author

@patrickjahns It's /.well-known/openid-configuration that returns the text/html response (and also does a redirect).

Going by the spec, /.well-known/openid-configuration should return what /index.php/apps/openidconnect/config currently returns.

@patrickjahns
Copy link
Contributor

@felix-schwarz
I well understand that the redirect needs resolving - I interpreted your comment above, that index.php/apps/openidconnect/config returns text/html response.

Which I documented is not the case and can not be reproduced when accessing it directly. So what is left to do, is to resolve how to proxy the result from the url to the well know url

@felix-schwarz
Copy link
Author

@patrickjahns I see now that my comment wasn't worded clear enough. Sorry.

So what is left to do, is to resolve how to proxy the result from the url to the well know url

Yep!

@micbar micbar assigned sharidas and unassigned DeepDiver1975 Jul 26, 2019
@sharidas
Copy link

sharidas commented Aug 2, 2019
edited
Loading

Below are the steps I have tried and I was not able to reproduce the issue.

sujith@sujith-ownCloud  ~  curl -I http://10.254.254.254:8080/.well-known/openid-configuration                       
HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 12:25:59 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Length: 3519
Content-Type: application/json; charset=utf-8
Set-Cookie: ocg1h99rbrpd=c4auflssgr1ls943bucsfsi131; path=/; HttpOnly
Set-Cookie: oc_sessionPassphrase=kAEgFwpdT43aDQPcV02xkDagVIa8pCMB%2B8hDolHBMa77K%2F4%2FGemvnkYPKL2%2F4%2B8%2BIiNw9rpYjxljxqdZqxVT9ldc9MzLh5cO342wUu9xktwnu2CT8rE0WGU4tz8wWIXD; path=/; HttpOnly

 sujith@sujith-ownCloud  ~ 
  • config url ->
sujith@sujith-ownCloud  ~  curl -I http://10.254.254.254:8080/index.php/apps/openidconnect/config                   
HTTP/1.1 200 OK
Date: Fri, 02 Aug 2019 12:27:32 GMT
Server: Apache
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
X-Robots-Tag: none
X-Frame-Options: SAMEORIGIN
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Set-Cookie: ocg1h99rbrpd=gfd42ilqtq2gufehovo9fi1jgh; path=/; HttpOnly
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: oc_sessionPassphrase=pmlL0xrgYP%2BC2dZ3Vez9ELeX9KLaNym0N4t3W4I%2BU1FlILkMCDp08dfmb509MELgXWYo3RJdE4hUZRxlKARd5%2BZASitYrobycZGErDzxc4j5eDjFS%2FS2zC%2FaCTfpNSo3; path=/; HttpOnly
Content-Security-Policy: default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'
Content-Length: 3519
Content-Type: application/json; charset=utf-8

 sujith@sujith-ownCloud  ~ 

@DeepDiver1975
Copy link
Member

@patrickjahns did fix this already -> close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sharidas sharidas

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@felix-schwarz @DeepDiver1975 @sharidas @patrickjahns