laravel-openid-connect-server icon indicating copy to clipboard operation
laravel-openid-connect-server copied to clipboard

Published 20 hours ago verified publisher icon limosa-io

How to customize the AuthToken?

Open selfsimilar opened this issue 11 months ago • 4 comments

Using openidconnect.net I've compared the auth tokens issued by laravel-openid-connect-server and Google'a OAuth flow and Google returns userdata in the AuthToken. Compare:

This Library

Header

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "1",
  "sub": 1
}

Payload

{
  "iss": "https://example.net",
  "sub": "1",
  "aud": "12345678-0abc-def1-2345-67890",
  "exp": 1709582589.667932,
  "iat": 1709581989.667932,
  "jti": "8a6b279c7c170581a27a55c797e207075db9c1fb1b036cd40981323fdc09c259f575f5c3b0a7776c",
  "auth_time": 1709581983,
  "nonce": null
}

Google

Header

{
  "alg": "RS256",
  "kid": "12345678901234567890",
  "typ": "JWT"
}

Payload

{
  "iss": "https://accounts.google.com",
  "azp": "12345678-0abc-def1-2345-67890",
  "aud": "12345678-0abc-def1-2345-67890",
  "sub": "12345678901234567890",
  "email": "[email protected]",
  "email_verified": true,
  "at_hash": "whatever",
  "name": "John Doe",
  "picture": "https://lh3.googleusercontent.com/a/;lkjasdf;lkjasdf;lkajsdf",
  "given_name": "John",
  "family_name": "Doe",
  "iat": 1709581989.667932,
  "exp": 1709582589.667932
}

As this format is accepted by Firebase (who I am trying to integrate with) I'd like to use this as a template and at least add the personal details to the token.

This library's routes file sends POST requests to oauth/token to Laravel Passport's AccessTokenController::issueToken() function which eventually uses the openid-connect-server AuthCodeGrant::respondToAccessTokenRequest() function. I notice in that function there is a TODO on line 206 "populate idToken with claims ...". The associated next line calls out to a stub function addMoreClaimsToIdToken(). Did you have a plan for this? Or should I extend the AuthCodeGrant class to implement this in a custom class in Laravel to add these claims?

Thanks

selfsimilar avatar Mar 04 '24 20:03 selfsimilar

Easiest is to extend the authCode grant and swap the implementation in PassportServiceProvider. This is what I did when I used this library.

I am also curious if you have an idea of a way to process additional claims without extending the class?

omitobi avatar Mar 04 '24 21:03 omitobi

@omitobi perfect! This worked! Or at least, I'm getting a different error back now. Firebase is now saying "Remote site returned 5xxx for oidc.mysite CODE_EXCHANGE". I'm going to dig through logs now, but based on this error do you any ideas what it is upset about now?

selfsimilar avatar Mar 05 '24 18:03 selfsimilar

I'm not entirely sure what could be the reason firebase is complaining but you could check for that specific error information online. Or is it possible that firebase expects some fields in the claim that is not present?

omitobi avatar Mar 05 '24 19:03 omitobi

I resolved the 5xx error - that was a silly mistake of mine. But Firebase continues to return 'Unable to parse the ID Token.' The only field that the Google SSO token has that mine is missing is at_hash which is an optional token. https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

Grrrrr!

selfsimilar avatar Mar 05 '24 20:03 selfsimilar