Add nonce and/or OIDC to AshAuthentication
absowoot:
OIDC is built on top of oauth2 and is already implemented in Assent. Some providers, Netsuite in my case, (seem to) require a nonce, which Assent provides when creating a new strategy and passing nonce: true
jart:
Thanks for posting this <@395990972011642882>. What I think needs to happen is that we need to add an OIDC strategy which will use the Assent OIDC provider. Hopefully not a huge deal. If I push a branch with support at some stage soon are you okay with testing it?
absowoot:
Absolutely
jart:
I’ve started a branch. It’s not ready to test yet, and I’m busy with customer stuff the rest of the day. I’ll likely get some time to work on it tomorrow morning or Monday.
absowoot:
Not a problem, thanks!
\ ឵឵឵:
If this is going to provide support for acting as an OIDC provider with the identity backed by an Ash resource, I’d be up for testing as well shortly. Was planning to use Hydra for this.
Will need to check into AshAuthentication first, but if I recall core (not _phoenix) is unopinionated about enrollment flows etc.?
ZachDaniel:
Correct. Given the resources you can pretty much implement whatever you want on top of them
jart:
Hey folks. Sorry this took so long, but I thin I’ve finished the OIDC strategy. I’m waiting for a release of spark to fix some dialyzer errors but in the mean time can you please test the
feat/oidc-strategy branch with your use cases?
absowoot:
Thanks for the update <@346791515923939328> Here are some issues I’m running into (I’m still new to Elixir so these could be on my end)
-
ash_authentication_phoenix complains about a missing icon for :oidc and I couldn’t figure out how to pass an existing icon like github
-
Setting nonce “true” sets nonce=true in the url for my OIDC provider Setting nonce true gives an “Authentication Error” when visiting /auth/oidc/new Using the statement below in user.ex gives an “Authentication Error” when visiting /auth/oidc/new
nonce fn _, _ -> 24 |> :crypto.strong_rand_bytes() |> Base.encode64(padding: false) |> binary_part(0, 24) end
So I set one manually for testing.
- My provider shows that I successfully login but the callback page shows “Authentication Error” I suspect there is something I’m missing, and help would be appreciated. Here is my user.ex: https://gist.github.com/absowoot/ac5b78442114f838b7b7d78c79378516
jart:
Does it make sense to not have a nonce generated for an OpenID Connect strategy?
\ ឵឵឵:
Yes and no… You kill the protection from token injection.
jart:
right so should we even support it?
jart:
turning off the nonce I mean
\ ឵឵឵:
I want to say no, but it is standard to do so <:thinkies:915154230078222336>
\ ឵឵឵:
Default to
true for sure, at least.
jart:
~so I’ve been re-reading the
~
assent source code and it looks like they don’t actually verify the nonce in any way, so I guess AshAuthentication should do that
jart:
scratch that
jart:
<@395990972011642882> okay I’ve just pushed up some changes to that branch. The
nonce DSL value can be set to
true ,
false or
{SomeSecretModule, opts} . You have to explicitly set it to
false to disable nonce generation now. I also pushed a new version of
ash_authentication_phoenix which has the
oidc icon present and renders a default icon when it can’t find one for the strategy. I have it working here with my Auth0 test account, but keen to find out more from you.
\ ឵឵឵:
Not sure if this is still the case, the last time I used it for OIDC was a couple years ago, but Cognito still didn’t support
nonce , and would thus break things that wanted it. Might be worth a note in the docs.
absowoot:
<@346791515923939328> The updates are working great, thanks! I would agree with <@1033006865661050921> that the nonce should probably be set to
false by default.
absowoot:
One issue that I’m seeing is that the following items are required in the OAuth2 plug but should generally pull from the openid_configuration:
- authorize_url
- token_url For reference, here is the config I was using with POW assent which worked as expected: https://gist.github.com/absowoot/fe67de899b81575fe4b6b5cdb64202db
Additionally, I tried setting openid_configuration map and it doesn’t seem to work. Netsuite uses a different issuer than what’s in their /.well-known/openid-configuration
absowoot:
Note that Assent also added trusted_audiences to their config recently which is another item that I need to pass
ZachDaniel:
<@395990972011642882> can you put those observations in a GH issue on
ash_authentication ? If the OIDC stuff is working well for those that need it now, we probably won’t prioritize improvements in the short term, but having that documented in an open issue would be good for the future.
absowoot:
Yeah absolutely! I didn’t want to clog up GH issues for a branch but I’ll get these comments posted there
ZachDaniel:
oh, right I forgot this is in a branch. But if its working, we should merge it 😄
ZachDaniel:
but yeah an issue is good 👍
absowoot:
Should I wait for merge?
ZachDaniel:
nah, go for it. Just mention that the branch isn’t merged yet, and feel free to say that I asked you to open the issue 🙂
jart:
Thanks <@395990972011642882> for the great feedback. I was really struggling with the fact that the oidc strategy should probably just have its own callback plug but there’s so much shared dna with oauth2 that I couldn’t bring myself to do it.
jart:
Re merging the build doesn’t pass because of an incorrect typespec in spark. I’ve been waiting for something more important to justify a spark release but I’m not going to hold out much longer lol.
absowoot:
No problem – OIDC is definitely confusing and Netsuite doesn’t make it any easier from my side lol