Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] OIDC Discovery #50433

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
vincentchalamon opened this issue May 25, 2023 · 2 comments · Fixed by #54932
Closed

[Security] OIDC Discovery #50433

vincentchalamon opened this issue May 25, 2023 · 2 comments · Fixed by #54932
Labels
Keep open Security

Comments

@vincentchalamon
Copy link
Contributor

vincentchalamon commented May 25, 2023
edited
Loading

Description

On OIDC User Info (experimental) feature, Symfony Security Bundle configuration allows to pass a custom client, or auto-create a client with the configuration passed (e.g.: base_uri).

The OIDC Discovery Specification specifies a .well-known entrypoint to discover the User Info entrypoint, and other public infos. It should be better to consume this entrypoint instead of statically specifying the client base_uri.

As some OIDC servers don't implement this Discovery Specification, and for backward compatibility, it should still be possible to use the OIDC User Info feature without any .well-known entrypoint (as it's already the case in 6.3).

Question: should it be a new feature or a bugfix?

Example

Current implementation (still valid):

security:
  firewalls:
    main:
      oidc_user_info:
        # using a custom Symfony HTTP Client
        client: my-client
        # using an auto-generated client
        client:
          base_uri: https://www.example.com/protocol/openid-connect/userinfo

Using OIDC Discovery:

security:
  firewalls:
    main:
      oidc_user_info:
        # proposal 1: add a "well_known" option non combinable with "client" option
        well_known: https://www.example.com/.well-known/openid-configuration
        # proposal 2: use "client" option to set the Well Known URI, and detect it in the token handler
        client:
          base_uri: https://www.example.com/.well-known/openid-configuration
@vincentchalamon vincentchalamon changed the title OIDC Discovery [Security] OIDC Discovery May 25, 2023
@vincentchalamon vincentchalamon mentioned this issue May 26, 2023
Merged
4 tasks
@raziel057 raziel057 mentioned this issue Aug 30, 2023
Closed
@carsonbot
Copy link

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

@vincentchalamon
Copy link
Contributor Author

Hey @carsonbot, this issue is still relevant, I just didn't have time to work on it yet

@carsonbot carsonbot removed the Stalled label Nov 27, 2023
@vincentchalamon vincentchalamon mentioned this issue May 15, 2024
Merged
7 tasks
@fabpot fabpot closed this as completed in 8b9ed36 Mar 1, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Keep open Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security][SecurityBundle] OIDC discovery vincentchalamon/symfony
4 participants
@vincentchalamon @xabbuh @chalasr @carsonbot