By: Cu kal user 21 Oct 2020 at 11:03 a.m. CDT

7 Responses

I'm trying to add an external OpenIDC provider that uses `private_key_jwt` as token endpoint auth method. Is this possible with Gluu 4.2? When adding the provider it seems the entry requires a `clientSecret`. Adding a vanilla value for `clientSecret` resulted in following error which maybe is caused by the token endpoint method: ` 2020-10-21T15:20:48.013Z [VERBOSE] Issuing token 2020-10-21T15:20:48.014Z [INFO] ::ffff:127.0.0.1 - GET /passport/token HTTP/1.1 200 201 - 1.297 ms 2020-10-21T15:20:48.388Z [VERBOSE] Validating token 2020-10-21T15:20:48.389Z [VERBOSE] Authenticating request against ExtOP 2020-10-21T15:20:48.392Z [INFO] ::ffff:127.0.0.1 - GET /passport/auth/ExtOP/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJqd3QiOiIwYzczZjMzZC1hNGE3LTRmMmItYWFlYi1kYjQzOWI4ZjRhMDMiLCJpYXQiOjE2MDMyOTM2NDgsImV4cCI6MTYwMzI5Mzc2OH0.rKPKSUFM08MKiHeNP-LycgvCJqGpvu3dahAJcBYwGww HTTP/1.1 302 0 - 5.096 ms 2020-10-21T15:20:48.856Z [VERBOSE] Authenticating request against ExtOP 2020-10-21T15:20:48.857Z [ERROR] Unknown Error: AuthorizationError: Unable to parse Authorization request 2020-10-21T15:20:48.858Z [ERROR] AuthorizationError: Unable to parse Authorization request at Strategy.authenticate (/opt/gluu/node/passport/node_modules/passport-openidconnect/lib/strategy.js:74:25) at attempt (/opt/gluu/node/passport/node_modules/passport/lib/middleware/authenticate.js:366:16) at authenticate (/opt/gluu/node/passport/node_modules/passport/lib/middleware/authenticate.js:367:7) at authenticateRequestCallback (/opt/gluu/node/passport/server/routes.js:128:4) at Layer.handle [as handle_request] (/opt/gluu/node/passport/node_modules/express/lib/router/layer.js:95:5) at next (/opt/gluu/node/passport/node_modules/express/lib/router/route.js:137:13) at validateProvider (/opt/gluu/node/passport/server/routes.js:100:5) at Layer.handle [as handle_request] (/opt/gluu/node/passport/node_modules/express/lib/router/layer.js:95:5) at next (/opt/gluu/node/passport/node_modules/express/lib/router/route.js:137:13) at Route.dispatch (/opt/gluu/node/passport/node_modules/express/lib/router/route.js:112:3) at Layer.handle [as handle_request] (/opt/gluu/node/passport/node_modules/express/lib/router/layer.js:95:5) at /opt/gluu/node/passport/node_modules/express/lib/router/index.js:281:22 at param (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:354:14) at param (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:365:14) at Function.process_params (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:410:3) at next (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:275:10) at Function.handle (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:174:3) at router (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:47:12) at Layer.handle [as handle_request] (/opt/gluu/node/passport/node_modules/express/lib/router/layer.js:95:5) at trim_prefix (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:317:13) at /opt/gluu/node/passport/node_modules/express/lib/router/index.js:284:7 at Function.process_params (/opt/gluu/node/passport/node_modules/express/lib/router/index.js:335:12) 2020-10-21T15:20:48.865Z [INFO] ::ffff:127.0.0.1 - GET /passport/auth/ExtOP/callback?error=invalid_request&error_description=Unable+to+parse+Authorization+request&state=HNZc4EfE4AtJ0U4QkJSfcmfu HTTP/1.1 500 148 - 8.427 m `

CentOS 7.0

closed

By Michael Schwartz Account Admin 22 Oct 2020 at 9:49 a.m. CDT

Copy

Make sure you configure your client to use private key authn for the token endpoint, and that the public key (or jwks_uri) is added to the client.

By Kiran Mali staff 23 Oct 2020 at 4:32 a.m. CDT

Copy

Hi Cu kal, Currently, This method is not supported in our passport module. our passport module is using `passport-openiconnect` npm package which uses `oauth` npm package which only supports `client_secret_post`. You need to set `client_secret_post` auth method at your external OP. This is a new feature and created a feature issue in GitHub here [https://github.com/GluuFederation/gluu-passport/issues/123](https://github.com/GluuFederation/gluu-passport/issues/123) Best Regards, Kiran Mali

By Cu kal user 23 Oct 2020 at 4:53 a.m. CDT

Copy

Hello Kiran, Thanks for your reply and opening an enhancement request. I've got it working purely in Apache / mod_auth_openidc and it seems several things are unclear or unsupported in the Gluu used passport-openiconnect strategy. http://www.passportjs.org/packages/openid-client/ might be a better strategy choice as it seems OpenID certified. Gr, L

By Kiran Mali staff 23 Oct 2020 at 8:31 a.m. CDT

Copy

Thank you Cu Kal for `openid-client` sharing. We will work on it.

By Jose Gonzalez staff 23 Oct 2020 at 2:55 p.m. CDT

Copy

You can still make it work using passport-oxd, it adds a new component into the architecture though. Some docs to check https://www.gluu.org/docs/gluu-server/authn-guide/inbound-oauth-passport/#using-oxd-as-mediator https://www.gluu.org/docs/oxd https://github.com/GluuFederation/passport-oxd#passport-oxd

By Cu kal user 24 Oct 2020 at 5:29 p.m. CDT

Copy

Hi Jose, Thanks for your suggestion, it seems worth looking into but I don't really follow how it fits it the bigger picture. We're using Gluu as the authentication heavy lifting component, our app sits behind httpd reverse proxy while a Gluu client mod_auth_openid provides our app with authentication headers. Works really well up until this OP. We don't write any particular authentication code aside from parsing the incoming openid headers so I'm not sure how oxd fits into this. Does it replace a Passport strategy? Will I create a new Passport provider using oxd giving it all the OpenID configuration for the remote OP? I also understand it's possible to install a new strategy into oxpassport, this might also work, I could try and add the certificed OpenID Passport.js strategy. These are the settings I used for mod_auth_openid: ``` OIDCProviderMetadataURL <openid discovery URL> (does automatically set some other parameters probably) OIDCClientID <openid clientid> OIDCRedirectURI <RP redirect url> OIDCScope <scopes to include> OIDCClientJwksUri <public jwks key url> OIDCPublicKeyFiles <encryption public key> <signing public key> OIDCPrivateKeyFiles <signing private key> <encryption private key> OIDCUserInfoSignedResponseAlg RS256 OIDCUserInfoEncryptedResponseAlg RSA-OAE ``` Perhaps the encrypted userinfo endpoints could be problematic. Gr

By Jose Gonzalez staff 26 Oct 2020 at 7:37 a.m. CDT

Copy

Thanks for sharing your use case. Passport is for inbound identity (You have a local Gluu Server and want to allow access to users that are registered elsewhere - external IDPs, OPs, etc. in addition to your regular local users ). It means you don't need passport, just one of the several existing ways to [integrate SSO](https://www.gluu.org/docs/gluu-server/integration/) in applications. Apache mod_auth_openidc is probably the most straightforward and is very lightweight. Oxd can also be used for this purposes but requires more work and machine resources. If you're already happy with mod_auth_openidc I see no reason to change that.

You need to Login in order to post an answer

External OpenID Connect Provider using private_key_jwt as token endpoint auth method

By: Cu kal user 21 Oct 2020 at 11:03 a.m. CDT

Answers

By Michael Schwartz Account Admin 22 Oct 2020 at 9:49 a.m. CDT

By Kiran Mali staff 23 Oct 2020 at 4:32 a.m. CDT

By Cu kal user 23 Oct 2020 at 4:53 a.m. CDT

By Kiran Mali staff 23 Oct 2020 at 8:31 a.m. CDT

By Jose Gonzalez staff 23 Oct 2020 at 2:55 p.m. CDT

By Cu kal user 24 Oct 2020 at 5:29 p.m. CDT

By Jose Gonzalez staff 26 Oct 2020 at 7:37 a.m. CDT

Post an answer