The /oauth/jwks endpoint currently requires authentication (see simple_oauth.routing.yml L93-102), which prevents its intended use case.
JWKS endpoints must be publicly accessible because they contain public keys used by client applications and resource servers to verify JWT signatures. This is a fundamental requirement of asymmetric cryptography in OAuth 2.0 and OpenID Connect flows (RFC 7517: https://www.rfc-editor.org/rfc/rfc7517).
Additionally, the module doesn't follow the industry-convention (not a standard) /.well-known/. According to OpenID Connect Discovery (https://openid.net/specs/openid-connect-discovery-1_0.html) and RFC 8414 (https://www.rfc-editor.org/rfc/rfc8414), the JWKS URI is typically located at or near /.well-known/jwks.json. Major providers (Auth0, Google, Microsoft, Okta) follow this pattern.
1. Attempt to access /oauth/jwks without authentication
2. Observe 403 Forbidden response
3. Note that no /.well-known/jwks.json path exists
1. Remove the authentication requirement from the /oauth/jwks route definition, changing it to allow anonymous access
2. Add a path alias or route that makes the JWKS available at /.well-known/jwks.json pointing to the same controller
- [ ] Update routing configuration to allow public access
- [ ] Add /.well-known/jwks.json alias/route
- [ ] Update documentation
- [ ] Add tests for anonymous access
None.
- /oauth/jwks becomes publicly accessible (backwards compatible)
- New endpoint: /.well-known/jwks.json (addition only)
None.
Fixed
6.0
OpenID Connect
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
No activities found.