adb014 commented on PR #517: URL: https://github.com/apache/guacamole-client/pull/517#issuecomment-4212714359
> * Pull the OpenID configuration from the publicly-available `well-known` endpoint. > * Alternatively, allow guacamole.properties to drive the configuration in the absence of the public endpoint. The “well-known” endpoint could be used to automatically configure the following parameters - issuer - authorization_endpoint - token_endpoint - jwks_uri it code help with what the response_type as the well-known endpoint returns a list response_types_supported. So if “token” was a supported type but “id_token” wasn’t then we’d know the response_type to use with implicit flow Yes it would be nice to use the well-known endpoint to automatically configure things, though this poses several questions - still need a manual method of setting the parameters as the well-known endpoint might not exist - How to call the well-known endpoint once at startup and cache the values - How to deal with the 3 sources of setting the values (guacamole.properties, environment and well-known endpoint) and the priority between them If the well-known endpoint was used to configure the implicit flow response_type, you’d still have treat the case of a missing well-known endpoint. Frankly better off just forcing AWS Cognito users to use code flow rather than implicit flow. I’d be willing to propose a PR for use of the well-known endpoint, but only after #1198 is merged. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
