[Koha-bugs] [Bug 30988] Add generic OpenIDConnect client implementation

bugzilla-daemon at bugs.koha-community.org bugzilla-daemon at bugs.koha-community.org
Fri Jul 22 18:19:46 CEST 2022 

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=30988

--- Comment #44 from Shi Yao Wang <shi-yao.wang at inLibro.com> ---
(In reply to Martin Renvoize from comment #42)
> This is looking good.. a few comments of where I'd love to see it headed and
> one that is unfortunately a QA fail at the moment.
> 
> QA Fail
> * We're missing Unit Tests for the new module you introduce, I'm afraid
> that's a hard fail for now.  It also looks like you have a note to do
> validation here which is missing... little confused as it looks like you are
> passing in a json structure rather than the token string.. so I'd have
> expected that to already be verified?  We could perhaps just use an existing
> library for this Mojo::JWT for instance?

Sorry, I am not really knowledgeable on the subject of token validation. For
the note, I put it there because I saw this note in the file
opac/svc/auth/googleopenidconnect that I copied to opac/svc/auth/openidconnect
when I started:
># Normally we'd have to validate the token - but google says not to worry here (Avoids another library!)
># See https://developers.google.com/identity/protocols/OpenIDConnect#obtainuserinfo for rationale

So I rewrote the note in the same spot just to give a heads up since I am not
sure if it is needed and I couldn't figure out how to do it if it is needed. I
looked into it a little and I think it has something to do with validating the
token signature involving kid attribute (key id) and jwks_uri of the discovery
document?

> little confused as it looks like you are
> passing in a json structure rather than the token string.. so I'd have
> expected that to already be verified?

The json passed in looks like this:
>{
>    'access_token' => '(encoded stuff)'
>    'id_token' => '(encoded stuff)'
>    'scope' => 'openid https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email'
>    'expires_in' => 3598
>    'token_type' => 'Bearer'
>}
Then 'id_token' is split (into 3 parts) by '.' and the middle part is decoded
into another json that contains the claims. Hope this helps comprehension.

-- 
You are receiving this mail because:
You are watching all bug changes.

More information about the Koha-bugs mailing list