[
https://issues.apache.org/jira/browse/GUACAMOLE-1094?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nick Couchman updated GUACAMOLE-1094:
-------------------------------------
Issue Type: Improvement (was: Bug)
> Allow override of response_type parameter value
> -----------------------------------------------
>
> Key: GUACAMOLE-1094
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-1094
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-auth-openid
> Affects Versions: 1.1.0
> Reporter: Ryan Lapchynski
> Priority: Trivial
> Labels: AWS, patch, ready-to-commit
>
> The OpenID Connect auth extension supports only the ["implicit"
> flow|[https://openid.net/specs/openid-connect-implicit-1_0.html#RequestParameters]],
> and currently
> [hard-codes|https://github.com/apache/guacamole-client/blob/4fec4638fc8652b684eea069e9ee9fe423615bfa/extensions/guacamole-auth-openid/src/main/java/org/apache/guacamole/auth/openid/form/TokenField.java#L80]
> the value of the "response_type" parameter as "id_token". According to the
> [OIDC spec|[https://openid.net/specs/openid-connect-core-1_0.html#IDToken]],
> the authentication server should return the user with an ID token but in some
> auth server implementations, other values of this parameter are required and
> they will not work otherwise, but still return the necessary information (the
> user's ID token in the id_token parameter) when given their required value.
> My particular use case involves authenticating against AWS Cognito. If the
> Cognito IdP receives a request with "response_type=id_token" rather than
> returning a sign-in page and authenticating the user, it returns a page
> showing just an "invalid request" error message. If instead
> "response_type=token" is used, authentication works as expected. In the
> [Cognito
> documentation|[https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html]]
> it is stated that "response_type must be {{code}} or {{token}}".
> I've only tested and confirmed that this is an issue with AWS Cognito, but
> according to the documentation for the OIDC identity providers on a couple
> other major cloud providers:
> GCP's Identity Platform [seems to
> require|[https://developers.google.com/identity/protocols/oauth2/openid-connect#response-type]]
> response_type to be "token id_token" or "id_token token"
> Azure's Microsoft Identity Platform
> [requires|[https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow]]
> response_type to be "id_token" or "id_token token"
>
> I'm submitting a PR that adds an optional guacamole.properties string
> parameter for the OpenID auth extension that allows overriding the default
> value of response_type. The default value is "id_token", so the behavior
> remains unchanged if the override parameter is left unspecified.
>
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
