nuxt-auth-utils
nuxt-auth-utils copied to clipboard
Atinux
feat: add generic oidc provider
WIP
This PR is based upon https://github.com/Atinux/nuxt-auth-utils/pull/12
This PR adds a generic provider for OIDC. It currently supports the 'code' response type / grant type 'authorization_code' and also optionally 'pkce'. Other response types and grant type combinations are not yet tested, but might in some cases already work.
Feedback welcome.
This looks like a great addition! I have some suggestions/feedback regarding the implementation:
- ~~If this should be a generic OIDC provider, I would remove the "auth0" annotations from the type descriptions, as many other vendors also provide generic OIDC endpoints. I am just talking about things like
Auth0 OAuth Audience, which should beOAuth Audience, not the@seeannotation, they are really helpful~~ - As we are in a SSR scenario we have a confidential client scenario, where we can use the
clientSecret, I would point out the criticality of using a client secret as well as the secure storage of it in the docs. It's very important to remember this, if this library changes it's scope to also include client side scenarios at some point, as the usage of aclientSecretwould be considered a critical security flaw. But as long as we are strictly working server side, there should be no security issue. Any plans to change to also support client side @Atinux ? - If the option to use a client secret is provided, we should also provide the possibility of using client certificate credentials as a more secure option
-
userinfoUrlshould be a optional parameter, as some providers don't have or provide a user info endpoint. - I would suggest adding a config option called
userNameClaimto be able to identify and map the designated user name, as these can often be customized while setting up the OAuth identity provider configuration - I would suggest adding a certification uri (also known as
jwks_uri) for token validation. For token validation in general, we could also resolve the validation URIs from theissfield. As defined by the OAuth standard, thejwks_urishould be listed in the well-known properties, which can be found under{ISSUER_FIELD}/.well-known/openid-configuration. - For proper token validation, there should also an array config option to list the valid issuers to avoid malicious issuers being verified.
- I would suggest narrowing down the types for
response_typeto the possibilities defined by the OAuth spec ("code", "code token", "code id_token", "id_token token", "code id_token token") - I would suggest adding an optional
response_modefield with the options "query" and "fragment"
EDIT:
- As some other libraries do, it could also be a good idea to introduce a
openidConfigurationoption, where the user can directly provide the/.well-known/openid-configurationmetadata document url to directly get all the required provider settings -
grant_typeshould be limited toauthorization_code - I would suggest leaving out the claims config for now, as it is normally only needed, if an API returns a claims challenge to the client, which would required handling the complete claims challenge flow and which is not defined as part of RFC 6749
@itpropro thank you for the feedback! I will try to incorporate it.
Any progress on this? Have a project that i would love to test the oidc implementation on
They are still some conflicts and I would like to have the readme updated in order for users to understand how to use it.
Happy to take a stab at it?
Don't know enough auth and openid spec to be able to do that 😢 I guess @maximilianmikus is the more competent of us here 😄
Hi @Atinux and @maximilianmikus, it seems no one is taking up the topic again, do you need help?
I am up for that, but why do we need to update the Auth0 provider in this pull request?