Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow better control for discovery endpoints to use #151

Open
4 tasks done
marchchad opened this issue Sep 2, 2024 · 1 comment
Open
4 tasks done

Allow better control for discovery endpoints to use #151

marchchad opened this issue Sep 2, 2024 · 1 comment

Comments

@marchchad
Copy link

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I'm setting up an express js API to verify tokens issued by a Keycloak v23 instance. Keycloak provides a /.well-known/openid-configuration endpoint but does not publish a /.well-known/oauth-autorization-server endpoint. When using the express-oauth2-jwt-bearer package, it took me reading the source code to see that the only way to use the package was to provide the full url to the well known endpoint so it could short circuit the asserts here: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L31. Otherwise the package also attempts to fetch the oauth-authorization-server endpoint, which isn't available on Keycloak: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L43-L47

Describe the ideal solution

There's multiple solutions to this problem:

  • Improved documentation for use in different auth scenarios, such as OIDC only providers
  • Configuration Option / Environment Variable to specify OIDC, OAUTH, or BOTH. Could even default to both, but provide option to only attempt to discovery of one of the 3 scenarios
  • Don't fail initialization if both aren't available. Attempt discovery and verification of both endpoints, fail it both are unavailable, but log a warning if one of the two are not available

Alternatives and current workarounds

The current workaround is to specify the full URL to the /.well-known/openid-configuration endpoint. As far as I can tell, this configuration option is not documented.

Additional context

No response
@marchchad
Copy link
Author

I forgot to specify, but the error I was receiving is the error specified in #132

InvalidTokenError: Failed to fetch authorization server metadata

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@marchchad