Contrib.social

Implement JWKs (RFC 7517) and OAuth metadata (RFC 8414)

Open on Drupal.org β†’
Created on 4 October 2020, about 4 years ago
Updated 26 January 2023, almost 2 years ago

Problem/Motivation

Forked off from ✨ [PP-1] Support OpenID Connect Discovery Needs review , this intends to implement RFC 7517 JWKs for either standalone use or in conjunction with OpenID Connect discovery (the original ticket.)

Remaining tasks

Implementation and testing.

Since we already outsource most of the under-the-hood crypto operations to league/oauth2-server, and it in turn requires lcobucci/jwt, it would make the most sense to assist with completing JWK implementation in the latter library (an issue is open for 5+ years - but still active - to do this!) It may be possible to lift the code from web-token/jwt-framework to do this, since it is MIT-licensed and looks rather mature. (Probably a bit impractical though to suggest swapping JWT libraries.

Another approach could be requiring web-token/jwt-framework directly and if JWKs support ever lands in league or its dependencies, we pull out the additional library from our dependencies.

I (@bradjones1) am leaning toward trying to contrib this in to lcobucci/jwt, seeing as JWK is on its roadmap and the maintainer is actively involved/this is supporting the software we are already using.

User interface changes

None.

API changes

Additions but no removals.

Data model changes

None.

✨ Feature request
Status

Needs work

Version

6.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States bradjones1 Digital Nomad Life

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Comment almost 2 years ago β†’
    πŸ‡ΊπŸ‡ΈUnited States Nate Covington

    I'm in the process of trying to use Drupal + Simple_Oauth as the single sign on server for Synapse / Matrix.

    When I set up the configuration for OpenID Connect in Synapse homeserver.yaml file, it was getting a 403 forbidden error when it tried to connect to the /oauth/jwks endpoint.

    Just to document my solution I retrieved my public.key value from Simple_Oauth module

    Then I used this this converter tool:
    https://russelldavies.github.io/jwk-creator/

    And created /.well-known/jwks file by hand

    That allowed Synapse to start up with the homeserver.yaml settings intact - yay!

    However, when I tried to use app.element.io to log in using Drupal, Synapse was giving this "not canonical" error:

    2023-01-26 17:36:53,521 - synapse.rest.client.login - 621 - INFO - GET-80 - Requested URI https://matrix.covingtoncreations.net/_matrix/client/r0/login/sso/redirect/oidc-drupal?redirectUrl=https%3A%2F%2Fapp.element.io%2F is not canonical: redirecting to https://covingtoncreations.net/_matrix/client/r0/login/sso/redirect/oidc-drupal?redirectUrl=https%3A%2F%2Fapp.element.io%2F
2023-01-26 17:36:53,522 - synapse.access.http.8008 - 460 - INFO - GET-80 - 10.0.0.1 - 8008 - {None} Processed request: 0.002sec/-0.001sec (0.000sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/r0/login/sso/redirect/oidc-drupal?redirectUrl=https%3A%2F%2Fapp.element.io%2F HTTP/1.1" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0" [0 dbevts]

    It's trying to get back to matrix.example.com but for some reason it's passing it over to example.com, the matrix server isn't able to actually process the remainder.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024