Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Need to override discovery document url #188

Open
wt opened this issue Nov 22, 2024 · 3 comments
Open

Need to override discovery document url #188

wt opened this issue Nov 22, 2024 · 3 comments

Comments

@wt
Copy link

wt commented Nov 22, 2024
edited
Loading

Hey there. I am trying to use this lib (3.5.0 version) to auth to Intuit's sandbox. The discovery url for that system is at this URL: https://developer.api.intuit.com/.well-known/openid_sandbox_configuration.

I looked through the code for openidconnect (both 3.5.0 and main branch). It seems to assume that the discovery doc it located at the issuer url with "/.well-known/openid-configuration" appended to the end. Is there any way I can override the appended part of the url for the discovery document so that I can auth to the intuit sandbox?

Intuit docs are here: https://developer.intuit.com/app/developer/qbo/docs/develop/authentication-and-authorization/oauth-openid-discovery-doc
@ramosbugs
Copy link
Owner

Hi @wt,

Unfortunately, Intuit isn't following the spec, which is clear about the relationship between the issuer URL and the discovery URL:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer.

For sandbox environments, they should be using a distinct issuer URL from their production environment (ideally a different subdomain, but at least a different directory). Having multiple sets of tokens and keys for a given issuer URL can easily lead to security vulnerabilities in client apps, so it's not something I want to support directly in this crate.

As a workaround, you can define a custom HTTP client that rewrites the request URL from the spec-compliant one to the one Intuit expects. The built-in reqwest clients defined here (for the main branch) should provide a starting point for any needed customization. Hope that helps!

@wt
Copy link
Author

wt commented Nov 23, 2024

Thanks. This is really helpful. I definitely see how Intuit's api is not compliant. It's really unfortunate that it's this hard to work around. I wonder if there is room for an example that implements this kind of workaround?

It might also be helpful to have a comment in the code to indicate that the OIDC spec has a MUST requirement for the location of the discovery doc relative to the issuer. At least that way you wouldn't have to rehash this issue ever again? Maybe just a link to this issue?

@ramosbugs
Copy link
Owner

I wonder if there is room for an example that implements this kind of workaround?

There aren't currently any examples illustrating a custom HTTP client, and I'd welcome one since it's an escape hatch I suggest a lot.

It might also be helpful to have a comment in the code to indicate that the OIDC spec has a MUST requirement for the location of the discovery doc relative to the issuer. At least that way you wouldn't have to rehash this issue ever again? Maybe just a link to this issue?

Agreed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wt @ramosbugs