Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support retrieving configuration from .well-known/openid-configuration enpoint #805

Open
c0rydoras opened this issue Jul 13, 2023 · 0 comments
Open

Support retrieving configuration from .well-known/openid-configuration enpoint #805

c0rydoras opened this issue Jul 13, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@c0rydoras
Copy link

c0rydoras commented Jul 13, 2023
edited

Proposal

Proposal to implement #529 by supporting the retrieval of configuration data from the .well-known/openid-configuration endpoint, which would reduce the need for manual configuration.

Example

It would be supported to only define the realm and the client id

// config/environment.js

module.exports = function (environment) {
  let ENV = {
    // ...
    "ember-simple-auth-oidc": {
      realm: "http://authorization.server/openid/realms/foo",
      clientId: "foo",
    },
    // ...
  };
  return ENV;
};

and then read retrieve all the necessary data from the .well-known/openid-configuration endpoint e.g.

await fetch(`${realm}/.well-known/openid-configuration`).json()

which would return something like this:

{
  "issuer": "https://foo.local/auth/realms/foo",
  "authorization_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/auth",
  "token_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/token",
  "introspection_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "jwks_uri": "https://foo.local/auth/realms/foo/protocol/openid-connect/certs",
  "check_session_iframe": "https://foo.local/auth/realms/foo/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba"
  ],
  "acr_values_supported": [
    "0",
    "1"
  ],
  "response_types_supported": [
    "code",
    "none",
    "id_token",
    "token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "subject_types_supported": [
    "public",
    "pairwise"
  ],
  "id_token_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "id_token_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "id_token_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "userinfo_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "userinfo_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "userinfo_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "request_object_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512",
    "none"
  ],
  "request_object_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "request_object_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post",
    "query.jwt",
    "fragment.jwt",
    "form_post.jwt",
    "jwt"
  ],
  "registration_endpoint": "https://foo.local/auth/realms/foo/clients-registrations/openid-connect",
  "token_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "token_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "introspection_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "introspection_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "authorization_encryption_alg_values_supported": [
    "RSA-OAEP",
    "RSA-OAEP-256",
    "RSA1_5"
  ],
  "authorization_encryption_enc_values_supported": [
    "A256GCM",
    "A192GCM",
    "A128GCM",
    "A128CBC-HS256",
    "A192CBC-HS384",
    "A256CBC-HS512"
  ],
  "claims_supported": [
    "aud",
    "sub",
    "iss",
    "auth_time",
    "name",
    "given_name",
    "family_name",
    "preferred_username",
    "email",
    "acr"
  ],
  "claim_types_supported": [
    "normal"
  ],
  "claims_parameter_supported": true,
  "scopes_supported": [
    "openid",
    "offline_access",
    "microprofile-jwt",
    "profile",
    "email",
    "acr",
    "address",
    "roles",
    "phone",
    "web-origins"
  ],
  "request_parameter_supported": true,
  "request_uri_parameter_supported": true,
  "require_request_uri_registration": true,
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "tls_client_certificate_bound_access_tokens": true,
  "revocation_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/revoke",
  "revocation_endpoint_auth_methods_supported": [
    "private_key_jwt",
    "client_secret_basic",
    "client_secret_post",
    "tls_client_auth",
    "client_secret_jwt"
  ],
  "revocation_endpoint_auth_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "HS256",
    "HS512",
    "ES256",
    "RS256",
    "HS384",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "device_authorization_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/auth/device",
  "backchannel_token_delivery_modes_supported": [
    "poll",
    "ping"
  ],
  "backchannel_authentication_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/ext/ciba/auth",
  "backchannel_authentication_request_signing_alg_values_supported": [
    "PS384",
    "ES384",
    "RS384",
    "ES256",
    "RS256",
    "ES512",
    "PS256",
    "PS512",
    "RS512"
  ],
  "require_pushed_authorization_requests": false,
  "pushed_authorization_request_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/ext/par/request",
  "mtls_endpoint_aliases": {
    "token_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/token",
    "revocation_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/revoke",
    "introspection_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/token/introspect",
    "device_authorization_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/auth/device",
    "registration_endpoint": "https://foo.local/auth/realms/foo/clients-registrations/openid-connect",
    "userinfo_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/userinfo",
    "pushed_authorization_request_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/ext/par/request",
    "backchannel_authentication_endpoint": "https://foo.local/auth/realms/foo/protocol/openid-connect/ext/ciba/auth"
  }
}
@c0rydoras c0rydoras added the enhancement New feature or request label Jul 13, 2023
@c0rydoras c0rydoras changed the title Support retrieving configuration from .well-known/openid-configuration enpoint Support retrieving configuration from .well-known/openid-configuration enpoint Jul 13, 2023
@derrabauke derrabauke mentioned this issue Dec 7, 2023
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@c0rydoras