OAuth2 Compliance Imporvements

[chris2fr]

Summary

Here is a list of OAuth2 Compliance Improvements:

1. .well-known/openid-configuration
2. .well-known/jwks.json
3. openid scope
4. nickname username without the @ part

Motivation

This is needed for example by Apache 2 auth_auth_openidc and it would be achievable. It would render OAuth2 usable.

Additional context

{
"issuer": "https://mail.lesgrandsvoisins.com",
"authorization_endpoint": "https://mail.lesgrandsvoisins.com/oauth/authorize",
"token_endpoint": "https://mail.lesgrandsvoisins.com/oauth/token",
"userinfo_endpoint": "https://mail.lesgrandsvoisins.com/oauth/profile",
"revocation_endpoint": "",
"jwks_uri": "this is the kicker for me",
"response_types_supported": [
"code",
"token",
"id_token",
"code token",
"code id_token",
"token id_token",
"code token id_token",
"none"
],
"subject_types_supported": [
"public"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"scopes_supported": [
"profile"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"client_secret_basic"
],
"claims_supported": [
"aud",
"email",
"email_verified",
"exp",
"family_name",
"given_name",
"iat",
"iss",
"locale",
"name",
"picture",
"sub"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"grant_types_supported": [
"authorization_code",
"refresh_token",
"urn:ietf:params:oauth:grant-type:device_code",
"urn:ietf:params:oauth:grant-type:jwt-bearer"
]
}

[berlincount]

I would also be in favor of full OpenID Connect support.

[maxpain]

Any updates on this?

[ashkov]

It's posible to create workaround for OpenID in small steps.
You just need another scope and answer for OAuth2 profile request.
We can do it just by copy existed profile.php for OAuth2 and fix it.

I'm operating with docker. So you should copy data/web/oauth/profile.php to data/web/oauth/profile-openid.php

Than replace the scope for your needs, for example to openid email profile
And replace json answer.

You will get something like this:

<?php
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/prerequisites.inc.php';

if (!$oauth2_server->verifyResourceRequest(OAuth2\Request::createFromGlobals())) {
  $oauth2_server->getResponse()->send();
  die;
}
$token = $oauth2_server->getAccessTokenData(OAuth2\Request::createFromGlobals());
$stmt = $pdo->prepare("SELECT * FROM `mailbox` WHERE `username` = :username AND `active` = '1'");
$stmt->execute(array(':username' => $token['user_id']));
$mailbox = $stmt->fetch(PDO::FETCH_ASSOC);
if (!empty($mailbox)) {
  if ($token['scope'] == 'openid email profile') {
    header('Content-Type: application/json');
    $email= !empty($mailbox['username']) ? $mailbox['username'] : '[email protected]';
    $name = !empty($mailbox['name']) ? $mailbox['name'] : 'Super Admin';
    $names = explode(' ', $name);
    echo json_encode(array(
      'user_id'=> $email,
      'sub' => substr($email, 0, strrpos($email, '@')),
      'email' => $email,
      'email_verified' => true,
      'name' => $name,
      'given_name' => count($names)>1?$names[1]:'',
      'family_name'=> $names[0],
      'phone_number' => '',
      'profile'=> '',
    ));
    exit;
  }
}
echo json_encode(array(
  'success' => false
));

Then you can use profile url like this https://example.com/oauth/profile-openid
Other urls are the same like for OAuth2