Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

interop with https://github.com/pingidentity/lua-resty-openidc

See original GitHub issue

Thanks for django-oidc-provider, it is amazing.

I’m trying to use it with lua-resty-openidc which performs the following requests

GET /authorize?scope=code%20id_token&client_id=471746&state=4211b60d068bc9419178f40bae27f242&nonce=f43023951b2f2f0d0115f1358d755a33&redirect_uri=https%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code

POST /token code=fdd5ff7ce2b14b42a5f1c2c063bb3b9a&client_id=471746&state=7c3ce94c606700d4fda65d9ae6dc806d&grant_type=authorization_code&redirect_uri=http%3A%2F%2Flocalhost%2Foauth2%2Fcallback&client_secret=06e53969f87da66e0a8c1f4d85346ba6efdb1927636c09d35d322e08

django-oidc-provider returns an empty {} id_token because is_authentication is False. https://github.com/juanifioren/django-oidc-provider/blob/v0.4.x/oidc_provider/lib/endpoints/token.py#L152

But, lua-resty-openidc expects a non-empty id_token with at minimum the issuer.

{"access_token": "ccd4b37ecd8745ab807017973089a08b", "token_type": "bearer", "expires_in": 3600, "refresh_token": "869fcc0c945b41e397dbd7c0bef2dcb0", "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjRkOGE1ODI0NWNjZWNjNGQxNjgyOGU1MGI3N2VkMzBmIn0.e30.0zSwT08G-0Lbx8u-qpMH5soRl5mJAuoOipAJeDKg5Mnn4d6PscIcCyaDZqR0H3gpE-ZD0ALjIPsWtdoxscb4hH4sgmXusyLudlzeEggBjIyHIa-H9oBzt6znLP4AJzv3XwecOTJ3hrNiwKbulFFH0PnSsH9WyKgHn3BwamZU3LE"}

Solution so far is just to patch is_authentication or True. Am I missing something by not requesting the right token earlier from lua-resty-openidc?

Issue Analytics

State:
Created 7 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

1reaction

juanifiorencommented, Nov 9, 2016

scope is for for openid or oauth2 claims (openid, profile, email, address, etc). response_type is to define the flow. Values are:

code: Authorization Code Flow
id_token: id_token (Implicit Flow)
id_token token: id_token token (Implicit Flow)
code token: code token (Hybrid Flow)
code id_token: code id_token (Hybrid Flow)
code id_token token: code id_token token (Hybrid Flow)

So in your case your request should be:

/authorize?scope=openid+profile+email&client_id=471746&state=4211b60d068bc9419178f40bae27f242&nonce=f43023951b2f2f0d0115f1358d755a33&redirect_uri=https%3A%2F%2Flocalhost%2Foauth2%2Fcallback&response_type=code%20id_token

0reactions

dholthcommented, Nov 9, 2016

It works, in ‘code’ mode (set in both RP and OP), with the mentioned scope.