Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Add AdditionalAuthorizationParameters for OAuth/OIDC

See original GitHub issue

I’m trying to create an app that allows my users to sign in with their Atlassian/Jira account. For this I’m using three-legged OAuth (3LA) as describe in https://developer.atlassian.com/cloud/jira/platform/oauth-2-3lo-apps/ with ASP.NET Core Identity.

As describe in the beforementioned document, their authorize endpoint requires the parameter audience to be set to api.atlassian.com. (See Implementing OAuth 2.0 (3LO), 1. Direct the user to the authorization URL to get an authorization code)

As far as I can tell from the source of OAuthHandler<>.BuildChallengeUrl(AuthenticationProperties, string), it is not possible to configure the audience parameter of the generated challenge url.

Describe the solution you’d like

I would like to be able to configure the audience parameter using OAuthOptions:

services.AddAuthentication().AddOAuth("Jira", options =>
{
    options.Audience = "api.atlassian.com";
});

Alternativly, a more generic solution I would like is something like a Dictionary<string, string> AdditionalAuthorizationParameters:

services.AddAuthentication().AddOAuth("Jira", options =>
{
    options.AdditionalAuthorizationParameters.Add("audience", "api.atlassian.com");
});

Additional context

Based on my quick research, requiring an audience on the Authorization Endpoint using the Authorization Code Grant does not conform to the OAuth protocol as describe in RFC 6749, however I found that at least Auth0 and Atlassian do so.

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:8 (7 by maintainers)

Top GitHub Comments

1reaction

martincostellocommented, Jan 5, 2022

@Tratcher Looking at our providers, it looks like there’s 7 providers that could potentially benefit from something like AdditionalAuthorizationParameters, where we could then completely remove our BuildChallengeUrl() overrides and just populate it either in the relevant options class or as a post-configure action:

0reactions

msftbot[bot]commented, Nov 16, 2022

Thanks for contacting us.

We’re moving this issue to the .NET 8 Planning milestone for future evaluation / consideration. We would like to keep this around to collect more feedback, which can help us with prioritizing this work. We will re-evaluate this issue, during our next planning meeting(s). If we later determine, that the issue has no community involvement, or it’s very rare and low-impact issue, we will close it - so that the team can focus on more important and high impact issues. To learn more about what to expect next and how this issue will be handled you can read more about our triage process here.

Top Results From Across the Web

OAuth 2.0 and OpenID Connect Authorization Endpoints

OpenID Connect adds many more authorization request parameters and values to the set defined by OAuth 2.0. Most of them are described in...

How to pass custom parameter to a custom OAuth2 ...

The real problem is the Authorization API (/authorize) which isn't passing what's set in additional-parameter over to my custom connection.

OpenId Connect: adding extra/custom parameter at the ...

The authorization server MUST ignore unrecognized request parameters. Request and response parameters MUST NOT be included more than once. If ...

Pass Parameters to Identity Providers - Authenticate

WordPress allows you to pass an optional blog parameter to its OAuth 2.0 authorization endpoint, and automatically request access to a specified blog...

Invoking the Authorization Endpoint for OpenID Connect

The authorization endpoint accepts an authentication request that includes parameters that are defined by both the OAuth 2.0 and OpenID Connect 1.0 ...