Comments (11)
The spec doesn't require validation of paths, but it does specifically allow paths to be part of the issuer to support multi tenancy. If you make the assumption that such multi tenant issuers would organize their endpoints underneath the issuer, I think there is value in validating the paths. And while that is an assumption/not explicitly part of the spec, I would be reluctant to change the default behavior.
What if we kept the current behavior as default, but add a flag to disable validation of paths?
from identitymodel.
Looking at this a little closer, there actually already is the DiscoveryPolicy.AdditionalEndpointBaseAddresses
that will accomplish this. I verified the usage by putting the sample discovery document above into the file discovery_endpoints_not_relative.json, and then running this test (which passes without changes):
[Fact]
public async Task AdditionalEndpointBaseAddresses_should_be_respected()
{
var discoFileName = FileName.Create("discovery_endpoints_not_relative.json");
var document = File.ReadAllText(discoFileName);
var handler = new NetworkHandler(request => document, HttpStatusCode.OK);
var client = new HttpClient(handler)
{
BaseAddress = new Uri("https://auth.domain.tld/oauth2/openid/jellyfin-aer")
};
var discoRequest = new DiscoveryDocumentRequest();
discoRequest.Policy.AdditionalEndpointBaseAddresses.Add("https://auth.domain.tld");
var disco = await client.GetDiscoveryDocumentAsync(discoRequest);
disco.IsError.Should().BeFalse();
disco.AuthorizeEndpoint.Should().Be("https://auth.domain.tld/ui/oauth2");
disco.TokenEndpoint.Should().Be("https://auth.domain.tld/oauth2/token");
disco.JwksUri.Should().Be("https://auth.domain.tld/oauth2/openid/jellyfin-aer/public_key.jwk");
}
So, I think we don't need to add any new options here. We can just update the error message to help users understand the situation better, and maybe even mention that AdditionalEndpointBaseAddresses exists.
from identitymodel.
It's been a while, but you know that you can plugin your own validators?
from identitymodel.
That may be so, but the defaults matter and if they are "over-verifying" then people will disable them. So shouldn't it do the right things by default?
from identitymodel.
That would be up for discussion - it is always hard to change defaults in a library that has hundreds of millions of downloads. Feel free to write up a proposal in form of a PR.
from identitymodel.
I'm not a C# developer, I'm the person who writes the IDP that's triggering this behaviour. I raised this to hopefully help and improve the defaults you offer, but I won't be submitting any PR's. That would be up to @9p4 or yourself.
from identitymodel.
We would like to suggest that
That the error return it's expected values, not just the endpoint value (e.g. Endpoint is on a different host than authority: {endpoint} expected {host} )
@josephdecock I could see adding this requested change in our current round of work.
I'm unsure if we should change the behavior of the rest. My sense is that no one would know enough to ever enable the strong validation check.
from identitymodel.
There is already a flag to disable the validation of paths, but this is not ideal since this issue is about the same domain (with different paths).
from identitymodel.
This would resolve our issues for our users, while retaining the origin validation that is a valuable security check.
from identitymodel.
There is already a flag to disable the validation of paths.
It also disables origin checking.
from identitymodel.
The new error message is now released in preview 3 of our upcoming 7.0.0 release!
from identitymodel.
Related Issues (20)
- Calls to RefreshTokenAsync not working anymore after 6.1 upgrade HOT 1
- Support net8.0 target in NuGet package HOT 7
- NullReferenceException in ProtocolResponse.FromHttpResonseAsync
- Why an Email claim is not unique HOT 2
- Add extension method to do PAR backchannel push
- Add PAR related constants
- UWP authentication with Azure AD fail in some devices
- Add constructor to DiscoveryCache to dynamically resolve authority URL HOT 3
- Validating AWS Cognito access tokens which have no aud claim HOT 1
- identitymodel is missing NuGet package README file
- RequestauthoizationCodeTokenAsync ContentType of application/json HOT 2
- Mirror repo readme to nuget HOT 1
- Document client credential style HOT 1
- Document AdditionalEndpointBaseAddresses in discovery policy HOT 1
- Update docs to use demo.duendesoftware.com
- Document DPoP
- IsAuthenticated == false after upgrading from 4.0.0 to anything above. HOT 2
- Consider deprecating DateTimeExtensions
- Provide a helper method to derive a code challenge from a code verifier HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from identitymodel.