Include issuer finding in Discovery
jumbojett opened this issue · 1 comments
There are two steps to discovery:
- figuring out which "issuer" to use for a given user
- figuring out the configuration once you have the issuer
One way of supporting this feature is utilizing an account chooser.
- look for the "iss" parameter on a login page for your issuer
- once you have that, you can get the configuration, and go
it's particularly useful if you're logging in using multiple issuers
Server discovery in Java
https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-client/src/main/java/org/mitre/openid/connect/client/service/impl/ThirdPartyIssuerService.java
- Effectively, if it gets an "iss" parameter, it uses that as the issuer.
If it doesn't, it redirects you to the account chooser URL
This gets tied into the rest of the client filter that does the heavy lifting.
yes in fact, when constructed, the OpenID Connect configuration ask for the base provider URL to which it automatically add the /.well-known/openid-configuration suffix. Then the $wellKnown value is loaded with all the openid server properties, including the issuer url.
Then in the function verifyJWTClaims the return value should be:
return (($claims->iss == $this->wellKnow->issuer)
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )
and not:
return (($claims->iss == $this->getProviderURL())
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )
Cause the providerURL can be very different of the issuerURL.
JF