Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support Globus with OpenID Connect #8926

Open
driusan opened this issue Nov 1, 2023 · 2 comments · Fixed by #8928
Open

Support Globus with OpenID Connect #8926

driusan opened this issue Nov 1, 2023 · 2 comments · Fixed by #8928
Assignees
@driusan
Labels
Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label)

Comments

@driusan
Copy link
Collaborator

driusan commented Nov 1, 2023

Describe the bug
#8255 added openid connect support to LORIS. It worked with some platforms, but not Globus for the following 2 reasons:

  1. Globus does not return "email_verified" (only email)
  2. JWK::parseKeySet() failed with Globus

For the first problem, we need to figure out how to securely handle it if the email has not been verified. For the second, we need to support another way to manually parse the key since the JWK response is missing the "kid" field at https://auth.globus.org/jwk.json
@driusan driusan added the Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label) label Nov 1, 2023
@driusan driusan self-assigned this Nov 1, 2023
driusan added a commit to driusan/Loris that referenced this issue Nov 1, 2023
@driusan
[OIDC] Handle providers that don't provide a 'kid' parameter
1a2aab0 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Partially resolves aces#8926.
@driusan driusan mentioned this issue Nov 1, 2023
Merged
driusan added a commit that referenced this issue Nov 7, 2023
@driusan
[OIDC] Handle providers that don't provide a 'kid' parameter (#8928)
e740f5e 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Relate to #8926.
@driusan
Copy link
Collaborator Author

driusan commented Nov 7, 2023

incorrectly auto-closed, only the parseKeySet part was resolved.

@driusan driusan reopened this Nov 7, 2023
@driusan
Copy link
Collaborator Author

driusan commented Jan 23, 2024

#8938 added support for adding hooks to the User Preferences page, where we can add a "Link your account to ..." option for already logged in users bypassing the problem of verified email being missing.

jeffersoncasimir pushed a commit to jeffersoncasimir/Loris that referenced this issue Feb 29, 2024
@driusan @jeffersoncasimir
[OIDC] Handle providers that don't provide a 'kid' parameter
a1b5021 
Some OpenID Connect providers (ie. Globus) don't specify 'kid'
in their JWKS response. The field is optional according to the
spec, despite the fact that JWK::parseKeySet errors if it's not
provided.

As a workaround, this manually tries each key returned until one
works.

Partially resolves aces#8926.
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@driusan driusan

Labels
Bug PR or issue introducing/requiring bug fixes (not mutually exclusive with the Feature label)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[OIDC] Handle providers that don't provide a 'kid' parameter driusan/Loris
1 participant
@driusan