Comments (11)
I also understand your reasoning. However, we enforce the grant type on the token endpoint by OIDC client config. For refresh_token
the OIDC config must contain that grant. In our current model, only OIDC apps have OIDC config. But JWT profile can be used by so much more, like APIs and service users. If those apps would start sending refresh tokens, they would simply get an error back that the grant is not allowed. So supporting refresh tokens here, is not as simple at the moment. This limitation is also present for other features and I'm currently rethinking the data model to unify the different App types we have, but I don't have anything formal yet.
Currently this issue discusses returning an ID token. We estimated this to be an easy fix that takes us less than a day, hence we categorized it as "Small issue". Adding refresh token functionality to this issue won't fit that definition anymore by the above reasoning. Hence, we will probably not do it now. I suggest you open a separate issue / feature request which can be estimated independently.
from oidc.
Thank you @muhlemmer for your clarifications. If client_id
must be the same as sub
, then I should address it on client side I guess. I probably mixed the two auth flow use cases (normal users vs. anonymous users) in my mind.
Described case is for anonymous user API access and is as follows:
- Mobile app obtains assertion from server
- Mobile app uses
jwt-bearer
grant to obtain access_token for anonymous API access.
The id_token
is rather a by-product not really used on app side for anonymous users but nevertheless checked by the used oidc library. Now thinking about it again, it probably makes sense to have client_id
="anonymous user id" in this case. I'll tweak the library so that id_token
verification can still succeed.
In any case, no "secrets" whatsoever are stored on mobile app side.
Long story short: No more actions required on your side, thank you :-)
from oidc.
Furthermore, it would be desirable to have a refresh_token
returned as well if scope offline_access
is given.
Reason: This would allow to use the same token refresh mechanism (as is used for "auth code" grant type) in a client application.
from oidc.
@akaegi we did discuss this. But as the JWT profile grant already works without user interaction, there is no real offline_access
. The app might as well just send a freshly signed JWT, instead of needing a refresh token.
from oidc.
I understand your reasoning @muhlemmer. However it produces more code on client side because token renewal has to be implemented manually. Otherwise this can be handled by most libraries that automatically renew access tokens based based on the "refresh token grant".
from oidc.
zitadel/zitadel#7822 would fix this
from oidc.
It would fix it only for zitadel through the custom implementation of the ClientCredentials
server method. Is that sufficient for the requested usecase?
from oidc.
Thank you @muhlemmer for implementing this extension 🙏
When trying to incorporate it into our mobile app I ran into the following issue: The returned id_token
has its client_id
claim set to to the user id of the asserted user as given by the assertion
. However I'd like the client_id
to be the mobile app's client_id
(and have it in the aud
claim as a consequence). Otherwise the id_token
validation will fail on mobile app side.
Any idea on how I could either pass the client_id
(currently ignored if passed to the token endpoint) or request it to be added to the aud
claim?
@livio-a
Many thanks for your support,
Andreas
from oidc.
@akaegi with the urn:zitadel:iam:org:project:id:{projectid}:aud
scope you can add the entire project of the client into the audience, making it valid for that app. Would that solve your issue?
from oidc.
Unfortunately no. I already added the project scope and have no problems with access_token validation on API/server side.
The problem is that the client-side OIDC library checks whether the configured client_id (of the mobile app) is part of the audience claim (this is according to OIDC specs)
Apparently, the client_id is currently somehow "fixed" to the service user id that is tied to the assertion of the jwt-bearer grant, see screenshot below (service user id ends with 0383
)
from oidc.
@akaegi when mixing Oauth2 authentication methods with OIDC compliance, such collisions do occur. JWT Profile for client authentication is not part of the OpenID Connect specs.
RFC 7523, Section 3, item 2B specifies:
For client authentication, the subject MUST be the "client_id" of the OAuth client
I'm also surprised. Are you storing a private key in a mobile app, use it for end-user authentication and then pass the tokens to an OIDC library for verification? This doesn't sound like a good security practice, as malicious actors may try to obtain such private key using reverse engineering techniques.
Perhaps your use case confuses me. May I suggest a new discussion to be opened that describes the complete use case and explain how that use case can't be fulfilled using regular authentication flows? As I wasn't part of the talks that were held with @livio-a, I'm just guessing here.
from oidc.
Related Issues (20)
- [Bug]: client invalid signature when OIDC server is restarted HOT 2
- The automated release is failing 🚨
- [Bug]: nil pointer dereference in `crypto.BytesToPrivateKey` HOT 3
- Access to auto discovery configuration HOT 3
- Allow empty nonce from ID Tokens issued from Refresh Tokens HOT 10
- Support form_post OIDC response mode HOT 4
- Do not ignore all JWKS parsing errors HOT 3
- [Bug]: nil pointer dereference when not setting unauthorized handler HOT 2
- Switch to `log/slog` HOT 2
- [Bug]: The behavior of response_mode does not adhere to the guidelines HOT 2
- Support ``verification_url`` mispelling in the device auth response HOT 6
- Set IDTokenSigningAlgValuesSupported of DiscoveryConfiguration obtained by Discover when initializing RelyingParty. HOT 3
- Update to go-jose/v4 HOT 4
- add prometheus metrics for apis HOT 2
- I want to increase the defaults for signature algorithm. HOT 2
- Question about licensing HOT 5
- Help: native client app use?
- [Bug]: Validation of redirect_uri is not performed before redirect HOT 6
- refresh token with Okta fails
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc.