Some OIDC providers support signed UserInfo response, to enhance
security. The OIDC client should be free to ask for the user info
sgnature, however in certain situations (e.g egov applications)
where security matters, the OIDC providers might chose to enforce
this sugnature.
Planka was not supported signed UserInfo response, which resulted
in an misleading exception 'invalidCodeOrNonce'.
Introduce the proper configurations to parametrize the OIDC client,
and a dedicated exception to improve the developer experience.
Specifications:
"The UserInfo Claims MUST be returned as the members of a JSON
object unless a signed or encrypted response was requested
during Client Registration."
Planka used a default response_mode 'fragment', which is not supported by all
OIDC providers.
Planka supports only the Authorization Code flow. The default response mode
for the authorization code flow is 'query', meaning the authorization server
appends the authorization code to the redirect URI as a query parameter.
I have added two environment variables: one to use the default response mode
from the OIDC provider, and one to customize the response mode if needed.
Using the default response mode is recommended by the OIDC specification:
"This use of this parameter is NOT RECOMMENDED when the Response Mode that
would be requested is the default mode specified for the Response Type."
To avoid any breaking changes, I kept the default value as 'fragment'. Ideally,
the environment variable should be undefined by default.
lebaudantoine
Maksim Eltyshev
Emmanuel Guyot
Αλέξανδρος
ItzAndriss
Stephan Michard
HannesOberreiter
Sarah Soo
NathanVss
Gavin Mogan
Samuel
Mitch Harvey
Blyamur
Smiley3112
IT Creativity + Art Team
Christopher Greaves
Niccolò Pedrini
leroyloren
Samuel
Felipe