Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Globus with OpenID Connect #8926

Open
driusan opened this issue Nov 1, 2023 · 2 comments · Fixed by #8928
Open

Support Globus with OpenID Connect #8926

driusan opened this issue Nov 1, 2023 · 2 comments · Fixed by #8928
Assignees
@driusan
Labels
Category: Bug PR or issue that aims to report or fix a bug

Comments

@driusan
Copy link
Collaborator

driusan commented Nov 1, 2023

Describe the bug
#8255 added openid connect support to LORIS. It worked with some platforms, but not Globus for the following 2 reasons:

  1. Globus does not return "email_verified" (only email)
  2. JWK::parseKeySet() failed with Globus

For the first problem, we need to figure out how to securely handle it if the email has not been verified. For the second, we need to support another way to manually parse the key since the JWK response is missing the "kid" field at https://auth.globus.org/jwk.json
@driusan driusan added the Category: Bug PR or issue that aims to report or fix a bug label Nov 1, 2023
@driusan driusan self-assigned this Nov 1, 2023
driusan added a commit to driusan/Loris that referenced this issue Nov 1, 2023
@driusan
[OIDC] Handle providers that don't provide a 'kid' parameter
1a2aab0 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Partially resolves aces#8926.
@driusan driusan mentioned this issue Nov 1, 2023
Merged
driusan added a commit that referenced this issue Nov 7, 2023
@driusan
[OIDC] Handle providers that don't provide a 'kid' parameter (#8928)
e740f5e 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Relate to #8926.
@driusan
Copy link
Collaborator Author

driusan commented Nov 7, 2023

incorrectly auto-closed, only the parseKeySet part was resolved.

@driusan driusan reopened this Nov 7, 2023
@driusan
Copy link
Collaborator Author

driusan commented Jan 23, 2024

#8938 added support for adding hooks to the User Preferences page, where we can add a "Link your account to ..." option for already logged in users bypassing the problem of verified email being missing.

jeffersoncasimir pushed a commit to jeffersoncasimir/Loris that referenced this issue Feb 29, 2024
@driusan @jeffersoncasimir
[OIDC] Handle providers that don't provide a 'kid' parameter
a1b5021 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Partially resolves aces#8926.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@driusan driusan

Labels
Category: Bug PR or issue that aims to report or fix a bug
Projects
LORIS RoadMap
Status: No status
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[OIDC] Handle providers that don't provide a 'kid' parameter driusan/Loris
1 participant
@driusan