After the next jose-jwt release, it will be using cryptonite, so broch will probably have to switch too.

This should be the same functionality as the UserInfo case, depending on the client's metadata preferences and keys.

A recent audit flagged the session bsid cookies as missing the secure flag. Looks like it's just commented out in
https://github.com/tekul/broch/blob/master/Broch/Server/Session.hs#L126
Is there an easy way to enable this without re-implementing defaultLoadSession?

OP-Discovery-Values fails because this is missing.

Only supports RSA signing using the server key just now. Signing with the client_secret should also be supported (OP-IDToken-HS256 fails).

See http://openid.net/specs/openid-connect-core-1_0.html#Signing

These are currently ignored, other than as provided to the client via the discovery response. The client can still use unsupported options in requests and have them processed. For example

• responseTypesSupported should be checked when processing an authorization request
• algorithmsSupported should be checked in id token creation, user info responses, request object (when implemented) and client auth signing. It may be sufficient to check some of them when registering the client, since the client's specific algorithms are stored with its data.

Both these and clientAuthMethodsSupported should be checked when registering the client.

See

http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

Need to work out what possible use cases apply.

Replace pattern matching with a routing package like reroute so that routing tables can be modified added to etc.

See http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes

Conformance test OP-C-04 currently fails. Signed responses should be a JWT.

See Section 5.3.2 of the spec.

This parameter controls whether the user is asked to reauthenticate or not, amongst other things.

See

http://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint

Apparently because jwt-bearer authentication is failing at the token endpoint:

6.056765 ------------ AccessTokenRequest ------------
6.070599 --> URL: https://connect.broch.io/oauth/token
6.070606 --> BODY: code=5b68c016317953fa&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&redirect_uri=https%3A%2F%2Foictest.umdc.umu.se%3A8101%2Fauthz_cb&client_assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6ImExIn0.eyJhdWQiOiBbImh0dHBzOi8vY29ubmVjdC5icm9jaC5pby9vYXV0aC90b2tlbiJdLCAiaXNzIjogImVmNTViYWFhNzAyMWM0ZDciLCAianRpIjogIlBjZnAzZ0hGIiwgImV4cCI6IDE0MjM4MjczNTIsICJpYXQiOiAxNDIzODI2NzUyLCAic3ViIjogImVmNTViYWFhNzAyMWM0ZDcifQ.fdCY3O6JU2hWZAOacdZkfXWgbclO9ZP990lrZuoV7pcPY_NMkXxDzrtIf4eenXFc1YOFujiCmtxKopvFp3fMpcdweO1we4N37l5FsuI9AFCTGyrNdoay42EXdimG2FV4shA8HKjmp0Y36Pt0Vvv6VkzMguIlwOWYJ77_s2UHny9YBLcMwT5tGwL84yYRinuocnnx9yYQv1LeHE-RYEk8zG8yFqNRfoRrOoid3HwfgwA0giwksVmhRLwYJXrdh97aFmmAnXTOH9Br6tKqE8E30zQMr_fxL-lyFuaG5PgIT8T3X17HbY8ym-9DabVp5NgTlJJE88npVuALlOCbzgeGgg&client_id=ef55baaa7021c4d7&grant_type=authorization_code
6.070613 --> HEADERS: {'Content-type': 'application/x-www-form-urlencoded'}
6.539187 <-- STATUS: 400
6.539302 ErrorResponse: {
  "error": "invalid_client"
}
6.540084 [ERROR] WHERE: check-http-response
6.540091 [ERROR] STATUS:CRITICAL
6.540093 [ERROR] HTTP STATUS: 400
6.540094 [ERROR] INFO: {"error": "invalid_client"}
6.540733 [ERROR] FatalError:{"error": "invalid_client"}

Currently only an exact match is allowed, whereas varying the query string is allowed in some cases - From 3.1.2.2 of RFC-6749:

   The authorization server SHOULD require the client to provide the
   complete redirection URI (the client MAY use the "state" request
   parameter to achieve per-request customization).  If requiring the
   registration of the complete redirection URI is not possible, the
   authorization server SHOULD require the registration of the URI
   scheme, authority, and path (allowing the client to dynamically vary
   only the query component of the redirection URI when requesting
   authorization).

So the checks should probably be:

• Make sure there's no fragment
• Verify everything apart from the query string matches
• If the registered URI has a query string, make sure those parameters match
• Allow the client to add additional query parameters

The OP needs to be able to manage keys as defined in

http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys

• Configure a lifetime for key(s) and a grace period within which old keys are valid
• Set a cache-control header on the jwks endpoint, based on the lifetime
• Retain old keys internally for the grace period

An RP implementation should be able to use the same code

I just came across your project and I would like to find out if there is any sample code that shows the framework being used along Servant? I really appreciate your blogs and hope to read more of them. Thanks for your help.

Session isn't destroyed properly

The code only checks for an authorization header at the moment, so OP-UserInfo-Body fails.

An error page for errors which are reported to the users, rather than as redirects to the client.

Currently the textual error is just printed in the browser.

These are allowed by OAuth2 and the query parameters should be retained when building the new redirect. The current code is broken in that it will append a new query on the end.

Both the error and success cases need to be dealt with. The code should be refactored to share the redirect URL building functionality.

Should be validated as per http://openid.net/specs/openid-connect-registration-1_0-20.html#Security

http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

Remove hard-coded stuff and use the Config instance instead.

As described in the client authentication section of the spec, client assertion JWTs should only be used once. A caching/checking function is needed to make sure the same token identifier isn't submitted more than once.

The text routing code has been removed from reroute in the latest LTS version, so need to switch to the SafeRouting option (if it makes sense).

At supercede we've made a yesod integration for this library.
However it currently doesn't build out of the box because this library was never uploaded to hackage.
Please upload this software to hackage!

Test OP-Registration-Sector-Bad fails, because the URI passed by the client is ignored, when the document actually contains a host which is not included in the registered redirect_uri list.

OP-OAuth-2nd-Revokes requires that using an authorization code twice revokes access tokens.

See also 10.5 of RFC6749

The requirement is only for access tokens based on the code itself, but this won't be possible for JWT tokens which aren't cached at the OP. The code would also have to be stored with the token.

This is more a question than an issue. We're running a server pretty much based on the example server (but with different authentication). After about 5 days, some clients seem to stop working until we restart one or both services, which seems to correspond to the default key TTL. Does rotateKeys need to be called manually every 5 days, or is some other process necessary? The docs just say the function exists in case you need to manually generate new ones, but the example only calls the function when it starts.

See

http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest

OP should reject authorization request missing redirect_uri when client has more than one registered.

OP test OP-J-02 fails.

See OAuth 3.1.2.3.