kratos icon indicating copy to clipboard operation
kratos copied to clipboard
verified publisher icon ory

feat: update Yandex and VK OIDC

Open renom opened this issue 1 year ago • 2 comments

Changes

VK provider: Support PKCE

It seems like VK doesn't provide /.well-known/openid-configuration (VK doesn't support OpenID). So to use PKCE it's needed to be enabled with:

pkce: "force"

VK provider: Support returning phone_number in claims

VK offers different endpoints for PKCE and non-PKCE configuration. Token endpoint that is used in non-PKCE configuration can return email but not phone. Extra endpoint https://id.vk.com/oauth2/user_info can be used to retrieve email and phone, but it doesn't accept access_token that was returned from non-PKCE token endpoint. So to retrieve a phone, PKCE is required to be enabled:

  - id: vk
    provider: vk
    mapper_url: "data-mapper.jsonnet"
+   pkce: "force"
    scope:
      - email
+     - phone

Additional info: I added AccessTokenURLOptions(r *http.Request) []oauth2.AuthCodeOption to OAuth2Provider interface. It works like AuthCodeURLOptions(r ider) []oauth2.AuthCodeOption but it's dedicated to update a token URL. VK requires passing device_id URL param (that is received by a callback) to PKCE token endpoint. Without this change it's impossible. I updated all the other OIDC providers to comply with the updated interface.

Yandex provider: Support returning phone_number in claims

No extra configuration is needed.

Related issue(s)

Fixes: #4147

Checklist

  • [x] I have read the contributing guidelines.
  • [x] I have referenced an issue containing the design document if my change introduces a new feature.
  • [x] I am following the contributing code guidelines.
  • [x] I have read the security policy.
  • [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
  • [ ] I have added tests that prove my fix is effective or that my feature works.
  • [ ] I have added or changed the documentation.

Further Comments

  • Everything is tested manually (including backward compatibility).
  • I didn't ask about approving the changes in Slack (please let me know if I need to).
  • VK seems to have removed the docs about non-PKCE endpoints, so PKCE endpoints is probably the recommended way to use OIDC.

renom avatar Oct 14 '24 15:10 renom

Hi guys. Any chance it'll get merged?

renom avatar Feb 12 '25 06:02 renom

Are you sure that the VK ID provider is the same as VK? Maybe we should get a separate provider, so as not to mix them, and deprecate the old one.

afansv avatar May 03 '25 08:05 afansv