Skip to content
This repository has been archived by the owner on Jun 12, 2021. It is now read-only.

client_id in Access Token aud #74

Open
peppelinux opened this issue Jul 28, 2020 · 1 comment
Open

client_id in Access Token aud #74

peppelinux opened this issue Jul 28, 2020 · 1 comment
Labels
question Further information is requested wontfix This will not be worked on

Comments

@peppelinux
Copy link
Member

peppelinux commented Jul 28, 2020
edited
Loading

With the help of django-oidc-op/snippts/rp_hanlder.py here I post the debugging information regarding an ordinary oidcendpoint/oidcrp session.

in OAuth2 aud it's optional, as described here:
https://tools.ietf.org/html/rfc7519#section-4.1.3

In OIDC not: https://openid.net/specs/openid-connect-core-1_0.html#IDToken

python3 snippets/rp_handler.py -c example/data/oidc_rp/conf.django.yaml -u that_user -p that_password -iss django_oidc_op

Client registration done...
Connecting to Authorization url:
 {
  "url": "https://127.0.0.1:8000/authorization?redirect_uri=https%3A%2F%2F127.0.0.1%3A8099%2Fauthz_cb%2Fdjango_oidc_op&scope=openid+that_scope+profile+email+address+phone&response_type=code&nonce=wCn0Bncr7m6sRO10P5f7SA5o&state=ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx&code_challenge=ycWJAoBgUEH9NyRPEsUJwvRtTUAsDRMKvMecaLs9d_8&code_challenge_method=S256&client_id=1UUl6cwNigmj",
  "state": "ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx"
}


The Authorization endpoint returns a HTML authentication form with a token
 {
  "token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImJXdG9SekV4VXkxak9GVXlSV2hwZUdkbFREWlBaME55TW1ka05ERlFaakJSUzJreVQwaExVazVJUVEifQ.eyJhdXRobl9jbGFzc19yZWYiOiAib2lkY2VuZHBvaW50LnVzZXJfYXV0aG4uYXV0aG5fY29udGV4dC5JTlRFUk5FVFBST1RPQ09MUEFTU1dPUkQiLCAicXVlcnkiOiAicmVkaXJlY3RfdXJpPWh0dHBzJTNBJTJGJTJGMTI3LjAuMC4xJTNBODA5OSUyRmF1dGh6X2NiJTJGZGphbmdvX29pZGNfb3Amc2NvcGU9b3BlbmlkK3RoYXRfc2NvcGUrcHJvZmlsZStlbWFpbCthZGRyZXNzK3Bob25lJnJlc3BvbnNlX3R5cGU9Y29kZSZub25jZT13Q24wQm5jcjdtNnNSTzEwUDVmN1NBNW8mc3RhdGU9eXRTcDVLOFg1WHZFNVJDZkVGbUVwSHFIWlZuNWtZZ3gmY29kZV9jaGFsbGVuZ2U9eWNXSkFvQmdVRUg5TnlSUEVzVUp3dlJ0VFVBc0RSTUt2TWVjYUxzOWRfOCZjb2RlX2NoYWxsZW5nZV9tZXRob2Q9UzI1NiZjbGllbnRfaWQ9MVVVbDZjd05pZ21qIiwgInJldHVybl91cmkiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODA5OS9hdXRoel9jYi9kamFuZ29fb2lkY19vcCIsICJpc3MiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODAwMCIsICJpYXQiOiAxNTk1OTMyNzI3fQ.VKnZZmWuHuOZjgaUUn7A5X5TjZaGeuuv8AjpwMkYdtmpxr31GEEOnmltjU3burmIZV1qOZC4vnRTZntAXO8GflwRkjtKBPvewGqkz4etHVZEkHZ3nKMG8zolFuU7xdYuV9wUok0ZzNh52qWcLhGOHTvBsfHB5gN7JXYSKF33Ii1JlwYL--nJLuIQRvV2MjyzzS01GGJ_Zlk2zWaox7MsWQeTcFk4HBnfaGc1ugjVJsMqpNwRmWvronVvU-93MvfVK46lhUQlvJuZNRJ2tlHc3JVvCDYmTfFk-MVlt_LhuTk90_u1G35lpX0klLavdgkOorUheJVVPsqCj9aME0GdqQ",
  "url": "verify/oidc_user_login/"
}


The Authorization returns a HttpRedirect (302) to https://127.0.0.1:8099/authz_cb/django_oidc_op?state=ytSp5K8X5XvE5RCfEFmEpHqHZVn5kYgx&scope=openid+that_scope+profile+email+address+phone&code=Z0FBQUFBQmZJQUE0YWFwUkdiMzhQM3oxNTkzNDZ4QlRQZjNlbUNIeXIwM1kwSkVZSHRzc0pueE01dndyZ2YxZXdzRVVGWGFlTXNmOFFGM3I3cW5iMEE5Uk9xXzFJQzRuN0tOd0ZrVzJwYlk3M2xIa3pCRGh4eUgySTRIaE9aVlhQSDFGenFwTHduR0NDc0tmSUJ3d3RsaXdLRldIMjQ1STcxRU5oWUE1WHIwb3B4ZWU2V1ZldndsRjBSWU1wOUF4N3owcDFWV2QzSDZtcUQzU0JKUW5qemxPdzFOdE5SWnJ4VXJ3N3hpM0dlYTZSYkROSmZyNURQWT0%3D&session_state=bc627c1120c4bb6fc3c6296d24fe926c9740b0f7944ce0e0c55c65b6055b5085.w9fW3DOoKcYD3nvU&iss=https%3A%2F%2F127.0.0.1%3A8000&client_id=1UUl6cwNigmj
 {}


Bearer Access Token
 "eyJhbGciOiJFUzI1NiIsImtpZCI6IlQwZGZTM1ZVYUcxS1ZubG9VVTQwUXpJMlMyMHpjSHBRYlMxdGIzZ3hZVWhCYzNGaFZWTlpTbWhMTUEifQ.eyJzaWQiOiAiYzBlY2QxMTFjMTM5MmM1N2M2YjE3MWZkMmNiYjJkMzFjMGM2NjUyOGVhN2QwZGFlZTNkODk2YTgiLCAidHR5cGUiOiAiVCIsICJzdWIiOiAiMDc2ZWNjYTk0ZmU0NTQ2N2I0NDM1ZDhlZWFkMjE4OGFkMzc3MWUxMGZmNjcyY2UxOTMwYzA0YWE4NjI0MTgxYyIsICJpc3MiOiAiaHR0cHM6Ly8xMjcuMC4wLjE6ODAwMCIsICJpYXQiOiAxNTk1OTMyNzI4LCAiZXhwIjogMTU5NTkzNjMyOCwgImF1ZCI6IFsiMVVVbDZjd05pZ21qIiwgImh0dHBzOi8vMTI3LjAuMC4xOjgwMDAiXX0.tAyozYfL6EpbZ0v_31_pm6MbeuD5RSILqZuIyObks_vJEzUOU1qqi4zxt4jz05s002u8y795NZPMqlgjpNNWFw"


Access Token
 {
  "sid": "c0ecd111c1392c57c6b171fd2cbb2d31c0c66528ea7d0daee3d896a8",
  "ttype": "T",
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c",
  "iss": "https://127.0.0.1:8000",
  "iat": 1595932728,
  "exp": 1595936328,
  "aud": [
    "1UUl6cwNigmj",
    "https://127.0.0.1:8000"
  ]
}


ID Token
 {
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c",
  "auth_time": 1595932727,
  "acr": "oidcendpoint.user_authn.authn_context.INTERNETPROTOCOLPASSWORD",
  "nonce": "wCn0Bncr7m6sRO10P5f7SA5o",
  "iss": "https://127.0.0.1:8000",
  "iat": 1595932728,
  "exp": 1595933028,
  "aud": [
    "1UUl6cwNigmj"
  ]
}


Userinfo endpoint result:
 {
  "email": "[email protected]",
  "given_name": "Giuseppe",
  "family_name": "De Marco",
  "gender": "male",
  "birthdate": "2020-07-26",
  "updated_at": 1595931659,
  "sub": "076ecca94fe45467b4435d8eead2188ad3771e10ff672ce1930c04aa8624181c"
}
@peppelinux peppelinux changed the title State in Access Token aud Client_id in Access Token aud Jul 28, 2020
@peppelinux peppelinux changed the title Client_id in Access Token aud issuer hash in Access Token aud Jul 28, 2020
@peppelinux peppelinux changed the title issuer hash in Access Token aud client_id in Access Token aud Jul 28, 2020
@peppelinux
Copy link
Member Author

peppelinux commented Jul 28, 2020
edited
Loading

So, it seems to me that oidcendpoint handle both OAuth2 and OIDC specificications, having client_id and issuer id in the aud field.

@peppelinux peppelinux added question Further information is requested wontfix This will not be worked on labels Jul 28, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
question Further information is requested wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@peppelinux