Forked off from #3033472: [PP-1] Support OpenID Connect Discovery, this intends to implement RFC 7517 JWKs for either standalone use or in conjunction with OpenID Connect discovery (the original ticket.)
Implementation and testing.
Since we already outsource most of the under-the-hood crypto operations to league/oauth2-server, and it in turn requires lcobucci/jwt, it would make the most sense to assist with completing JWK implementation in the latter library (an issue is open for 5+ years - but still active - to do this!) It may be possible to lift the code from web-token/jwt-framework to do this, since it is MIT-licensed and looks rather mature. (Probably a bit impractical though to suggest swapping JWT libraries.
Another approach could be requiring web-token/jwt-framework directly and if JWKs support ever lands in league or its dependencies, we pull out the additional library from our dependencies.
I (@bradjones1) am leaning toward trying to contrib this in to lcobucci/jwt, seeing as JWK is on its roadmap and the maintainer is actively involved/this is supporting the software we are already using.
None.
Additions but no removals.
None.
Show commandsStart within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
changes
Comments
Comment #2
bradjones1Comment #3
bradjones1Related upstream issues/comments:
https://github.com/thephpleague/oauth2-server/issues/1142 (Proposing a potential change of underlying library in the League package)
https://github.com/thephpleague/oauth2-server/issues/1007#issuecomment-5... (re: JWKs for key loading)
https://github.com/lcobucci/jwt/issues/32 (JWK support in existing dependency)
Comment #4
e0ipso👏
Comment #5
matt_paz commented@bradjones1 - It looks like lcobucci/jwt is targeting this for the 5.0.0 release.https://github.com/lcobucci/jwt/milestone/8
Not sure what a forecast looks like for the 5.0.0 release, but if it is is projected to be quite some time (given the 4.0.0 hasn't been released yet), it might make sense to consider alternatives/stop gap measures you mentioned. I haven't delved deeply here yet, but figured I'd throw it out there.
I see now that it has been updated for a 4.0.1 release with php 7.4 as a requirement.
https://github.com/lcobucci/jwt/issues/32#issuecomment-719995242
Comment #6
matt_paz commented@bradjones1 - I haven't assessed it yet, but I noticed that @kamalw was exploring jumbojett/OpenID-Connect-PHP. Thought it might be worth passing along...
https://www.drupal.org/project/simple_oauth/issues/3182418
Comment #7
bradjones1Note to self, there is a JWKS route added as part of #2999521: Add support for Open Id connect but it is not useful as an endpoint to consult for verifying issued tokens.
Comment #8
bradjones1We should also implement RFC 8414. See #3182418: Shouldn't the /oauth/jwks endpoint be accessible without authentication?.
Comment #9
bradjones1Comment #10
bradjones1Comment #11
sanduhrsComment #13
sanduhrsPushed the patch from #3182418: Shouldn't the /oauth/jwks endpoint be accessible without authentication? not verifying specs compliance, yet.
Comment #14
nate covington commentedI'm in the process of trying to use Drupal + Simple_Oauth as the single sign on server for Synapse / Matrix.
When I set up the configuration for OpenID Connect in Synapse homeserver.yaml file, it was getting a 403 forbidden error when it tried to connect to the /oauth/jwks endpoint.
Just to document my solution I retrieved my public.key value from Simple_Oauth module
Then I used this this converter tool:
https://russelldavies.github.io/jwk-creator/
And created /.well-known/jwks file by hand
That allowed Synapse to start up with the homeserver.yaml settings intact - yay!
However, when I tried to use app.element.io to log in using Drupal, Synapse was giving this "not canonical" error:
It's trying to get back to matrix.example.com but for some reason it's passing it over to example.com, the matrix server isn't able to actually process the remainder.
Comment #15
idebr commentedThis was fixed in #3552234: Make JWKS endpoint publicly accessible and add /.well-known/jwks.json alias