From 8619fa7fa69e679cad1fdf475476e5bbb44512b0 Mon Sep 17 00:00:00 2001 From: Jane Jeon Date: Thu, 31 Aug 2023 10:16:39 +0100 Subject: [PATCH] add support for client auth methods that require client secret --- .env | 4 ++++ middlewares/passport.js | 5 ++++- website/docs/2. Installation/2.1 Prerequisites.md | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/.env b/.env index f4ce70d9..5ed4cab0 100644 --- a/.env +++ b/.env @@ -42,6 +42,10 @@ OIDC_CLIENT_ID= OIDC_ISSUER_BASE_URL= OIDC_HTTP_TIMEOUT=15 seconds +### Optional OIDC Config - the values here will work for most people; however, in some cases, you may need to set the secret. +OIDC_CLIENT_SECRET= +OIDC_TOKEN_ENDPOINT_AUTH_METHOD=none + ## OAuth2 Config for API access to Blink; disable if you don't use this OAUTH2_ENABLED=true OAUTH2_JWT_ALGORITHMS=RS256 diff --git a/middlewares/passport.js b/middlewares/passport.js index daec0db8..08196f4d 100644 --- a/middlewares/passport.js +++ b/middlewares/passport.js @@ -20,10 +20,13 @@ Issuer.discover(process.env.OIDC_ISSUER_BASE_URL) client = new issuer.Client({ client_id: process.env.OIDC_CLIENT_ID, + client_secret: process.env.OIDC_CLIENT_SECRET || undefined, // you shouldn't need this in most cases redirect_uris: [`${process.env.BASE_URL}/auth/login/callback`], response_types: ['code'], // can't use implicit flow because #this-part-gets-stripped-away id_token_signed_response_alg: 'RS256', // since RS256 is asymmetric encryption, we can safely use - token_endpoint_auth_method: 'none' // this - we can verify the token w/o having the secret key! + token_endpoint_auth_method: + // this - we can verify the token w/o having the secret key! + process.env.OIDC_TOKEN_ENDPOINT_AUTH_METHOD || 'none' }) passport.use( diff --git a/website/docs/2. Installation/2.1 Prerequisites.md b/website/docs/2. Installation/2.1 Prerequisites.md index 7afa1b79..511ee5b2 100644 --- a/website/docs/2. Installation/2.1 Prerequisites.md +++ b/website/docs/2. Installation/2.1 Prerequisites.md @@ -66,5 +66,5 @@ The reason we are able to use the token endpoint without authenticating with the And as the asymmetric signing algorithm may suggest, this means that Blink is indeed a public application [(which means a very specific thing in the OAuth2 spec)](https://auth0.com/docs/configure/applications/confidential-public-apps), not expected to hold any secrets. Therefore, you should ensure that the OIDC provider does support public applications like this. -~~_themoreyouknow.gif_~~ +**However**, in some rare cases, the OIDC provider may still require a client secret even though it supports asymmetric signing algorithms (e.g. Google Workspace). In that case, you can specify an alternate client authentication method (because remember, `none` means no secret is ever sent out) by specifying `OIDC_TOKEN_ENDPOINT_AUTH_METHOD` to something else (again, please check your provider's well-known endpoint to see which methods are supported), and specify the `OIDC_CLIENT_SECRET` environment variable. :::