-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Upstream OIDC Providers without a ClientSecret #3194
Comments
FWIW - I have a separate golang application where I have added a variant of the suggested improvement and have verified its use with Okta as an upstream OIDC provider. |
cameronbrunner
changed the title
Support Upstream OIDC Servers without a ClientSecret
Support Upstream OIDC Providers without a ClientSecret
Nov 15, 2023
Another implementation offered here #3188 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Preflight Checklist
Problem Description
When using the OIDC connector Dex should support a secure method for distributing a common configuration file that could be used by multiple instances of a given application. Presently this is not possible as the OIDC connector requires both a ClientID and ClientSecret leading to either the distribution of the ClientSecret to all application instances or a unique ClientID for application instances. The former is insecure and the later is unfeasible with significantly large numbers of application instances.
Proposed Solution
OIDC classifies client applications into two categories, Confidential and Public. Dex presently behaves only as a Confidential application and thus requires a ClientID and ClientSecret. I propose that support for Public be added as an option to the OIDC connector.
I believe all that is required is:
The majority fo the actual work is handled in the downstream golang oidc code and was added in April of this year:
golang/oauth2#603
golang/go#59835
Some sample code.
Add something like this to the LoginURL function (
dex/connector/oidc/oidc.go
Line 253 in e41a28b
And this to HandleCallback (https://github.com/dexidp/dex/blob/e41a28bf27225ab503eb9feef4feedd03bb4ac71/connector/oidc/oidc.go#L291C18-L291C18)
Alternatives Considered
Additional Information
Discussion on Confidential and Public OIDC applications - https://auth0.com/docs/get-started/applications/confidential-and-public-applications
The text was updated successfully, but these errors were encountered: