Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use access token for UserInfo endpoint access #2446

Merged
merged 1 commit into from
Jul 18, 2022
Merged

Use access token for UserInfo endpoint access #2446

merged 1 commit into from
Jul 18, 2022

Conversation

makkes
Copy link
Member

@makkes makkes commented Jul 18, 2022

Some OIDC providers (such as Keycloak) check the token type to match
"Bearer" which is not true for the ID token which holds the token type
"ID". Therefore, the ID token cannot (and supposedly should not) be
used to authorize requests to resource servers.

With this change the auth server stores the access token alongside the
ID token in the browser's cookies so that it can be used by the
weave-gitops server later on, e.g. to make requests against the
UserInfo endpoint of the OIDC provider.

A caveat of this change is that the mock OIDC server used in tests
doesn't check the token type so without further changes to the
upstream library we cannot really test usage of the access token
properly.

closes #2125

@makkes makkes requested a review from ozamosi July 18, 2022 10:14
@makkes makkes self-assigned this Jul 18, 2022
@makkes makkes added bug Something isn't working area/security labels Jul 18, 2022
@makkes
Use access token for UserInfo endpoint access
5333b6f 
Some OIDC providers (such as Keycloak) check the token type to match
"Bearer" which is not true for the ID token which holds the token type
"ID". Therefore, the ID token cannot (and supposedly should not) be
used to authorize requests to resource servers.

With this change the auth server stores the access token alongside the
ID token in the browser's cookies so that it can be used by the
weave-gitops server later on, e.g. to make requests against the
UserInfo endpoint of the OIDC provider.

A caveat of this change is that the mock OIDC server used in tests
doesn't check the token type so without further changes to the
upstream library we cannot really test usage of the access token
properly.

closes #2125
@makkes makkes marked this pull request as ready for review July 18, 2022 12:41
@ozamosi ozamosi merged commit e615cbb into main Jul 18, 2022
@ozamosi ozamosi deleted the use-access-token branch July 18, 2022 14:39
This was referenced Jul 26, 2022
Merged
Merged
@weave-gitops-bot weave-gitops-bot mentioned this pull request Aug 10, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ozamosi ozamosi ozamosi approved these changes

Assignees

@makkes makkes

Labels
area/security bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

OIDC Auth error calling /oauth2/userinfo
2 participants
@makkes @ozamosi