Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to customize the AuthToken? #34

Open
selfsimilar opened this issue Mar 4, 2024 · 4 comments
Open

How to customize the AuthToken? #34

selfsimilar opened this issue Mar 4, 2024 · 4 comments

Comments

@selfsimilar
Copy link
Contributor

selfsimilar commented Mar 4, 2024
edited
Loading

Using openidconnect.net I've compared the auth tokens issued by laravel-openid-connect-server and Google'a OAuth flow and Google returns userdata in the AuthToken. Compare:

This Library

Header

{
  "typ": "JWT",
  "alg": "RS256",
  "kid": "1",
  "sub": 1
}

Payload

{
  "iss": "https://example.net",
  "sub": "1",
  "aud": "12345678-0abc-def1-2345-67890",
  "exp": 1709582589.667932,
  "iat": 1709581989.667932,
  "jti": "8a6b279c7c170581a27a55c797e207075db9c1fb1b036cd40981323fdc09c259f575f5c3b0a7776c",
  "auth_time": 1709581983,
  "nonce": null
}

Google

Header

{
  "alg": "RS256",
  "kid": "12345678901234567890",
  "typ": "JWT"
}

Payload

{
  "iss": "https://accounts.google.com",
  "azp": "12345678-0abc-def1-2345-67890",
  "aud": "12345678-0abc-def1-2345-67890",
  "sub": "12345678901234567890",
  "email": "[email protected]",
  "email_verified": true,
  "at_hash": "whatever",
  "name": "John Doe",
  "picture": "https://lh3.googleusercontent.com/a/;lkjasdf;lkjasdf;lkajsdf",
  "given_name": "John",
  "family_name": "Doe",
  "iat": 1709581989.667932,
  "exp": 1709582589.667932
}

As this format is accepted by Firebase (who I am trying to integrate with) I'd like to use this as a template and at least add the personal details to the token.

This library's routes file sends POST requests to oauth/token to Laravel Passport's AccessTokenController::issueToken() function which eventually uses the openid-connect-server AuthCodeGrant::respondToAccessTokenRequest() function. I notice in that function there is a TODO on line 206 "populate idToken with claims ...". The associated next line calls out to a stub function addMoreClaimsToIdToken(). Did you have a plan for this? Or should I extend the AuthCodeGrant class to implement this in a custom class in Laravel to add these claims?

Thanks
@omitobi
Copy link
Contributor

omitobi commented Mar 4, 2024

Easiest is to extend the authCode grant and swap the implementation in PassportServiceProvider. This is what I did when I used this library.

I am also curious if you have an idea of a way to process additional claims without extending the class?

@selfsimilar
Copy link
Contributor Author

@omitobi perfect! This worked! Or at least, I'm getting a different error back now. Firebase is now saying "Remote site returned 5xxx for oidc.mysite CODE_EXCHANGE". I'm going to dig through logs now, but based on this error do you any ideas what it is upset about now?

@omitobi
Copy link
Contributor

omitobi commented Mar 5, 2024

I'm not entirely sure what could be the reason firebase is complaining but you could check for that specific error information online.
Or is it possible that firebase expects some fields in the claim that is not present?

@selfsimilar
Copy link
Contributor Author

I resolved the 5xx error - that was a silly mistake of mine. But Firebase continues to return 'Unable to parse the ID Token.' The only field that the Google SSO token has that mine is missing is at_hash which is an optional token.
https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken

Grrrrr!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@selfsimilar @omitobi