wildfly oidc client fails with invalid id-token

[Ram Ct]

Hi,

I am trying to configure elytron-oidc client with the internal OIDC provider at my company.

I'm using the wildfly version 26.1.1.

Looks like the issuer is not the correct match hence I'm getting invalid token error.

internal OP defines the following OIDC endpoints

Parameter                    Value

Authorize Endpoint    FQDN/mga/sps/oauth/oauth20/authorize
Token Endpoint           FQDN/mga/sps/oauth/oauth20/token
User Info Endpoint     FQDN/mga/sps/oauth/oauth20/userinfo
JWKS  URI                   FQDN/mga/sps/oauth/oauth20/jwks/COMOIDC
Discovery URI             FQDN/mga/sps/oauth/oauth20/metadata/COMOIDC/.well-known/openid-configuration
Signature Algorithm (RS256 (default) or HS256)    RS256
Client ID                                                  aBcDeFgHiJkLmNoPqRsTuVwXyZ
Client Secret (if confidential client)    AbCdEfGhIjKlMnOpQrStUvWxYz

Why the expected issuer should match the provider url. Isn't that just the FQDN in my case?

https://github.com/wildfly-security/wildfly-elytron/blob/c84b91fefbc3c5793cda2b069887cc128840d788/http/oidc/src/main/java/org/wildfly/security/http/oidc/TokenValidator.java#L136

oidc.json

{
    "client-id" : "APP_CLIENT_ID",
    "provider-url" : "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/metadata/COMOIDC",
    "credentials" : {
     "secret" : "sc22vAkkabpklfS13123"
    },
    "ssl-required" : "none",       => temporary, non-secured internal app
    "confidential-port" : 8080  => this was needed otherwise the redirect uri has port 0.
}

your help is much appreciated.

thank you.

Ram

[Ram Ct]

As per the open-id spec, https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation

The Issuer Identifier for the OpenID Provider         (which is typically obtained during Discovery)         MUST exactly match the value of the         iss (issuer) Claim.        

In my case,  the metadata obtained during discovery (response to the .well-known/openid-configuration call) is below

{
    "issuer": "https://oidc.stage.elogin.company.com",
    "authorization_endpoint": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/authorize",
    "token_endpoint": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/token",
    "userinfo_endpoint": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/userinfo",
    "jwks_uri": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/jwks/companyOIDC",
    "response_types_supported": [
        "token",
        "id_token",
        "token id_token",
        "code",
        "code id_token",
        "code token id_token",
        "code token",
        "none"
    ],
    "response_modes_supported": [
        "fragment",
        "form_post"
    ],
    "grant_types_supported": [
        "implicit",
        "authorization_code",
        "refresh_token"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "id_token_encryption_alg_values_supported": [],
    "id_token_encryption_enc_values_supported": [],
    "poc": "https://oidc.stage.elogin.company.com/mga/",
    "name": "companyOIDC",
    "introspect_endpoint": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/introspect",
    "revocation_endpoint": "https://oidc.stage.elogin.company.com/mga/sps/oauth/oauth20/revoke",
    "subject_types_supported": [
        "public"
    ]
}

[Farah Juma]

Thank you for this additional information.

The current implementation uses $PROVIDER_URL/.well-known/openid-configuration to discover additional information about the OpenID provider but currently assumes that the $PROVIDER_URL is the same as the issuer URL.

I've created ELY-2357 to track this.

[Farah Juma]

Just FYI, this has been fixed in WildFly 26.1.2.Final. Thanks for reporting this!