[jira] [Created] (GUACAMOLE-1094) Allow override of response_type parameter value

Mon, 08 Jun 2020 09:09:12 -0700 

Ryan Lapchynski created GUACAMOLE-1094:
------------------------------------------

             Summary: Allow override of response_type parameter value
                 Key: GUACAMOLE-1094
                 URL: https://issues.apache.org/jira/browse/GUACAMOLE-1094
             Project: Guacamole
          Issue Type: Bug
          Components: guacamole-auth-openid
    Affects Versions: 1.1.0
            Reporter: Ryan Lapchynski
             Fix For: 1.2.0


The OpenID Connect auth extension supports only the ["implicit" 
flow|[https://openid.net/specs/openid-connect-implicit-1_0.html#RequestParameters]],
  and currently 
[hard-codes|https://github.com/apache/guacamole-client/blob/4fec4638fc8652b684eea069e9ee9fe423615bfa/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java#L80]
 the value of the "response_type" parameter as "id_token". According to the 
[OIDC spec|[https://openid.net/specs/openid-connect-core-1_0.html#IDToken]], 
the authentication server should return the user with an ID token but in some 
auth server implementations, other values of this parameter are required and 
they will not work otherwise, but still return the necessary information (the 
user's ID token in the id_token parameter) when given their required value.

My particular use case involves authenticating against AWS Cognito. If the 
Cognito IdP receives a request with "response_type=id_token" rather than 
returning a sign-in page and authenticating the user, it returns a page showing 
just an "invalid request" error message. If instead "response_type=token" is 
used, authentication works as expected. In the [Cognito 
documentation|[https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html]]
 it is stated that "response_type must be {{code}} or {{token}}".

I've only tested and confirmed that this is an issue with AWS Cognito, but 
according to the documentation for the OIDC identity providers on a couple 
other major cloud providers:

GCP's Identity Platform [seems to 
require|[https://developers.google.com/identity/protocols/oauth2/openid-connect#response-type]]
 response_type to be "token id_token" or "id_token token" 

Azure's Microsoft Identity Platform 
[requires|[https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow]]
 response_type to be "id_token" or "id_token token"

 

I'm submitting a PR that adds an optional guacamole.properties string parameter 
for the OpenID auth extension that allows overriding the default value of 
response_type. The default value is "id_token", so the behavior remains 
unchanged if the override parameter is left unspecified.

 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to