Support URL-initiated Log-in through Provider

Do you think that this feature should follow (or support) the Initiating Login from a Third Party spec from OpenID Connect Core? From my reading, it looks like the Relying Party (Drupal) would need to accept an iss URL parameter (the full URL of the OpenID Provider) at the login initiation endpoint.

Attached is a patch that follows the specifications from OpenID Connect Core for the 8.x branch.

Let me know if you have any changes/questions/thoughts.

I made a few adjustments to the patch in #5 to allow for extending the controller class a little easier.

Re-rolled the patch and updated the session unit test.

The use of Nullable parameters forces this to specify a minimum version of php to >=7.1 in the module's composer.json.

@pfrilling was this tested by any chance with OKTA provider?

I get a redirect to: openid-connect/okta?iss=https%3A%2F%2Fdigital-phoenix.okta.com
And it results in you're not authorized to access this page.

Just curious if you're by any chance trying with same provider I do?

Re-rolled #7 onto 2.x. Pushed to MR, and I'm also attaching the patch. No idea if it's possible to generate an interdiff, given how many little things changed from 1.x to 2.x.

#8 is already resolved in branch 2.x.

I was not able to test properly, as I don't yet know how to set the 'state' token. My attempts seemed to trigger a forbidden AccessResult.

Will now open the MR to trigger tests, including a new commit I pushed after #11.

This is the important @todo:

+++ b/src/Controller/OpenIDConnectRedirectController.php
@@ -97,25 +128,64 @@ class OpenIDConnectRedirectController extends ControllerBase implements AccessIn
+    // @todo while re-rolling for #11, it was not clear how to properly resolve
+    // a divergence here:
+    // - #7 reads state from the request $query.
+    // - 2.x reads state from $request.
+    // Decided to favor 2.x for now.

@jedihe, any chance I can ask for you to adapt this to the latest code? The merge request doesn't seem to be applicable anymore.

And I've been changing a lot of stuff that probably has an impact on this code. If you manage to get it to work again, I think this would be a nice feature to have.

Regarding the @todo.. Yes, 2.x is the one to favor. The 1.x version will not get any new features anymore.

Hi @jcnventura! I'm quite busy right now, but if I manage to find some time for contribution, I'll be looking into this one :).

Hi @jcnventura! I managed to update the MR branch with current 2.x and get the unit tests passing (including the new one). I also tried to update some code in OpenIDConnectRedirectController, but I didn't actually test if the various controller methods in it continue working fine.

So, the MR was updated with latest work in 2.x branch, but manual testing is now needed to verify it works and no regressions were introduced.

Any updates on this MR?

I was able to get this patch to apply against the 2.x branch and confirm that it is working with Okta as the IDP. I manually tested logging in from Drupal and also logging in from Okta and both directions seem to be working well. I re-worked the target_link_uri logic and confirm that is working too.

Let me know if you'd like me to force push these changes to the merge request branch that @jedihe created.

#19 is doing the trick for me. It took me a moment to figure out I was putting the iss querystring param in the wrong place.

Thanks for the review @joelsteidl. Marking this as RTBC.

Looks good. Merged.

Thanks for the work but lack of documentation ...
How to get the OID login url and/or the Response object to use it in a custom event subscriber ?