Problem:
This module does not provide ".well-known/openid-configuration" and server certificates in "jwks" style as it's required by the Open ID 1.0 specs.

Suggested solution:
1. Let the existing "oauth2/certificates" unchanged to be compatible on old implementations and provide a second path which in "jwks"-style.
2. Provide a single or multiple JSON files on ".well-known/openid-configuration" or "path-n/.well-known/openid-configuration" or just an JSON file creator for a manual copy.

The "openid-configuration" can be provide manually but the certificate is changing often via cron. So this is more important to be realized.

Old Issue description by @rdhiman:

Dear Drupal Team,

I am using OAuth2 Server 8.x-1.0-beta1 with Drupal-8.4.5 and I did not found such url that return well-known/keys, well-known/openid-configuration.

Can we have below information on any restful urls like these?

jwk_uri -
http://mysite.com/.well-known/keys

well_known_uri -
http://mysite.com/.well-known/openid-configuration/

Please suggest how can we get this information. This is very crucial to go ahead.
Or you may suggest any other work around to achieves this.

CommentFileSizeAuthor
#2 OAuth2Controller.txt8.63 KBrdhiman

Issue fork oauth2_server-2950666

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

rdhiman created an issue. See original summary.

rdhiman’s picture

rdhiman commented
StatusFileSize
new OAuth2Controller.txt8.63 KB

Dear Team,

I made some tweak in \modules\contrib\oauth2_server\src\Controller\OAuth2Controller
=> \modules\contrib\oauth2_server\src\Controller\OAuth2Controller openIdConfiguration
=> \modules\contrib\oauth2_server\src\Controller\accessNeedsKeys (call openIdConfiguration inside this)

Created below urls for openid configuration
=> well_known_uri: http://mysite.com/oauth2/certificates?openid-configuration
=> jwks_uri: http://mysite.com/oauth2/certificates?jwkUri

I added below code in this function -
/**
* Access needs Keys.
*/
public function accessNeedsKeys() {
$this->openIdConfiguration();
}

And this is my openIdConfiguration funtion -

private function openIdConfiguration() {
if (!empty($_GET)) {
$foundJwkUri = $foundOpenidConfiguration = false;
array_walk($_GET, function ($val, $var) use (&$foundJwkUri, &$foundOpenidConfiguration) {
if (strtolower($var) == 'jwkuri') {
$foundJwkUri = true;
}
if (strtolower($var) == 'openid-configuration') {
$foundOpenidConfiguration = true;
}
});
}
$response = [];
if ($foundOpenidConfiguration === true) {
global $base_url;
$issuer = 'https://' . $_SERVER['HTTP_HOST'];
$response = [
'issuer' => $issuer,
'authorization_endpoint' => $base_url . '/oauth2/authorize',
'token_endpoint' => $base_url . '/oauth2/token',
'userinfo_endpoint' => $base_url . '/oauth2/userInfo',
'jwks_uri' => $base_url . '/oauth2/certificates?jwkUri',
'response_types_supported' => ['code', 'id_token', 'token id_token', 'code id_token'],
'subject_types_supported' => ['public'],
'id_token_signing_alg_values_supported' => ['RS256'],
];
}
if ($foundJwkUri === true) {
$keys = Utility::getKeys();
if (!empty($keys['public_key'])) {
$public_key = openssl_pkey_get_public($keys['public_key']);
$public_key = openssl_pkey_get_details( $public_key );
$response = [
'keys' => [
[
'kty' => 'RSA',
'alg' => 'RS256',
'use' => 'sig',
'n' => base64_encode( $public_key['rsa']['n'] ),
'e' => base64_encode( $public_key['rsa']['e'] ),
],
],
];
}
}
if ($foundOpenidConfiguration === true || $foundJwkUri === true) {
echo json_encode($response, 1);die;
}
}

However, I know, This may be improved but, This works for me.

rdhiman’s picture

rdhiman commented
Issue summary: View changes
sanduhrs’s picture

sanduhrs
he/him
Primary language German
Location 🇪🇺 Heidelberg, Germany, Europe
commented
Version: 8.x-1.0-beta1 » 8.x-1.x-dev
Priority: Major » Normal
Status: Active » Needs work

Thanks for your contribution!
To make it easy for other developers to review and use your code, please stick to the known contribution workflow and provide patches as described here: https://www.drupal.org/node/707484

c-logemann’s picture

c-logemann
he/him
Primary language German
Location Frankfurt/M, Germany
commented
Title: jwk uri, well known uri not available » Provide openid-configuration and certificate as JWK to meet OpenID 1.0 specs
Issue summary: View changes

I am currently trying to get the Apache module "mod_auth_openidc" working the D7 version of this module which was successfully working when I used my own Gitlab CE instance as Open ID provider.
So I first manually created a JSON Document similar to this on Gitlab.com because the Apache module depends on this "external" configuration.
In this file I pointed the "jwks_uri" to "oauth2/certificates" path and this won't work. Via server log files I figured out that there was the problem. With the information of this Issue and the fact that Gitlab as OpenID provider is also presenting certificate information in a more structured way (e.g. on gitlab.com) I provided this information currently via an already exiting custom module and get this working.
Currently I'm wondering why my own Rocket.Chat server can successfully connect to my D7 Oauth2 Server and believe it's just more tolerant since I figured out that the Open ID 1.0 specs require providing the "openid-configuration" information as well as the certificates in "jwks"-style.
Maybe there was an old standard or this is just a mistake to provide the certificate like it's currently served on D7 and D8 version. i think we can leave this path and information as "legacy" but deprecated code and provide a second path for key discovery in "jwks" style and provide this URL(s) via the official openID path(s).

@rdhiman Beside working with patches or merge requests we should use Drupal variables instead of $_SERVER when available.

sysosmaster’s picture

sysosmaster commented

I made a Module that does this (the welknown openid-configuration and JWKS)
see https://www.drupal.org/project/openid_connect_autodiscovery
(Its basically a release for a module I made some time ago.)

sanduhrs’s picture

sanduhrs
he/him
Primary language German
Location 🇪🇺 Heidelberg, Germany, Europe
commented
Version: 8.x-1.x-dev » 2.0.x-dev

cafuego made their first commit to this issue’s fork.

cafuego opened merge request !1

cafuego’s picture

cafuego commented
Status: Needs work » Needs review

I added a route for /oauth2/jwk and added a simple function based on the code by @rdhiman to spit out the public key in JWK format.

sanduhrs’s picture

sanduhrs
he/him
Primary language German
Location 🇪🇺 Heidelberg, Germany, Europe
commented
Status: Needs review » Fixed

Fixed a few things and committed to 2.0.x.
Thanks for working on this.

  • sanduhrs committed e6f89d4 on 2.0.x 
    Issue #2950666 by sanduhrs: Provide openid-configuration and certificate...

  • sanduhrs committed 48c90df on 2.0.x 
    Revert "Issue #2950666 by sanduhrs, cafuego, rdhiman: Provide openid-...

  • sanduhrs committed 6647cc4 on 2.0.x 
    Revert "Issue #2950666 by sanduhrs, cafuego, rdhiman: Provide openid-...
cafuego’s picture

cafuego commented

Revert?

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.

gaëlg’s picture

gaëlg
he/him
Primary language French
Location Lille, France
commented

I needed this on D10 but it was reverted for no given reason. So I made this branch, still untested: https://git.drupalcode.org/issue/oauth2_server-3288840/-/tree/3288840_29...

fishfree’s picture

fishfree commented

Please re-merge into the latest version.