OpenID Connect SSO - user authentication fails because client_id is included in redirect_uri

[coryplastek]

Please make sure that you have checked the boxes:

• [x] Review the Quickstart guide
• [x] Search for both open and closed issues regarding the problem you are experiencing
• [x] For permissions issues (Access Denied and credential related errors), please refer to the requisite docs before submitting an issue: AWS, GCP, OpenStack, GitHub

Description of issue:

When OpenID Connect is configured for user authentication, and a user is redirected from SecurityMonkey to an OAuth Authorization Server to be authenticated, SecurityMonkey includes the client_id in the state parameter, which causes an issue for all Authorization Servers that enforce RFC 6749 (OAuth 2.0 Authorization Framework), specifically section 2.3.1 Client Password:

https://tools.ietf.org/html/rfc6749#section-2.3.1

Including the client credentials in the request-body using the two
parameters is NOT RECOMMENDED and SHOULD be limited to clients unable
to directly utilize the HTTP Basic authentication scheme (or other
password-based HTTP authentication schemes).  The parameters can only
be transmitted in the request-body and MUST NOT be included in the
request URI.

I believe that removing the client_id from the state parameter would fix this issue and help this project conform to the OAuth 2.0 specification better.

[mikegrima]

More than happy to accept a PR. Not high-priority for us.

[nasehim7]

Hey! I am Animesh. A learner, Google Summer of Code 2018 student and an open source enthusiast. Would love to work on this issue. One Question - is there any channel which I can join where I can discuss more on this? :)

[mikegrima]

Hello @nasehim7 ! We have a Gitter channel here: https://gitter.im/Netflix/security_monkey