If using OIDC as security, API cannot be accesed using Authorization Bearer even after authenticating and getting and access token from OIDC #1055
Description
Describe the bug
I tried accesing the API, which works perfectly when using basic authentication but when using oidc as security its not possible.
What do you see?
- Requested a token on the token endpoint of the oidc to get an access token.
- Use this token as "Authentication: Bearer $token"
- Requesting /api/v1/config returns: {"oidc":true,"authenticated":false}
- Requesting /api/v1/enpoints/statuses returns: token is missing or invalid
From the code i can see that this authentication will never happen since this is looked up in sessions.Get which is gocache storage, but was never set the with sessions.SetWithTTL because the token was requested to the OIDC.
So from what i can think (Maybe im wrong) but these tokens should be verified against the OIDC and not try to look them up in local gocache sessions storage since they will never be found there.
What do you expect to see?
To have access to the API
List the steps that must be taken to reproduce this issue
No response
Version
Latest from Git and latest docker image as of this writing
Additional information
I case of API access this can be considered M2M usage so:
- Client Authentication – The machine authenticates using client credentials.
- Token Request – The client requests an access token from the OIDC provider.
- Token Response – The OIDC provider returns an access token (JWT).
- API Request – The client includes the token in API requests.
- API Authorization – The API verifies the token and processes the request.
Access token validation should be done using jwks using information in the jwks_uri found in the issuer-url + "/.well-known/openid-configuration", then that confirmation can be stored in gocache for fast access until expired.