Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] OIDC Discovery #50433

Open
vincentchalamon opened this issue May 25, 2023 · 2 comments
Open

[Security] OIDC Discovery #50433

vincentchalamon opened this issue May 25, 2023 · 2 comments
Labels
Security

Comments

@vincentchalamon
Copy link
Contributor

vincentchalamon commented May 25, 2023
edited

Description

On OIDC User Info (experimental) feature, Symfony Security Bundle configuration allows to pass a custom client, or auto-create a client with the configuration passed (e.g.: base_uri).

The OIDC Discovery Specification specifies a .well-known entrypoint to discover the User Info entrypoint, and other public infos. It should be better to consume this entrypoint instead of statically specifying the client base_uri.

As some OIDC servers don't implement this Discovery Specification, and for backward compatibility, it should still be possible to use the OIDC User Info feature without any .well-known entrypoint (as it's already the case in 6.3).

Question: should it be a new feature or a bugfix?

Example

Current implementation (still valid):

security:
  firewalls:
    main:
      oidc_user_info:
        # using a custom Symfony HTTP Client
        client: my-client
        # using an auto-generated client
        client:
          base_uri: https://www.example.com/protocol/openid-connect/userinfo

Using OIDC Discovery:

security:
  firewalls:
    main:
      oidc_user_info:
        # proposal 1: add a "well_known" option non combinable with "client" option
        well_known: https://www.example.com/.well-known/openid-configuration
        # proposal 2: use "client" option to set the Well Known URI, and detect it in the token handler
        client:
          base_uri: https://www.example.com/.well-known/openid-configuration
@vincentchalamon vincentchalamon changed the title OIDC Discovery [Security] OIDC Discovery May 25, 2023
@vincentchalamon vincentchalamon mentioned this issue May 26, 2023
Merged
4 tasks
@raziel057 raziel057 mentioned this issue Aug 30, 2023
Closed
@carsonbot
Copy link

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

@vincentchalamon
Copy link
Contributor Author

Hey @carsonbot, this issue is still relevant, I just didn't have time to work on it yet

@carsonbot carsonbot removed the Stalled label Nov 27, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@vincentchalamon @xabbuh @carsonbot