Action Required : UAA Backwards Compatibility for OpenID Connect ID Token Response Type
|
Sree Tummidi
Hi All,
Starting with *CF Release 220*, we have added OpenID Connect ID Token support in UAA. Currently this feature is *disabled* by default to remain fully backwards compatible. uaa.id_token.disable description: When set to true, requests to /oauth/authorize will ignore the response_type=id_token parameter *default: true* Our plan is to provide a *30 Day window *(roughly cf-release slated for 2nd week of November) for Service Authors and other integrators using UAA as the token server. We will be removing the feature flag and support ID token response by default after 2nd week of November *Action Required:* 1. If you have a custom implementation of OAuth client, please update the parsing logic to handle the response of the /oauth/authorize endpoint. The main change is that the Location header will have a Fragment (#) and not a Query String (?). *See [1] below* 2. If you are using the cf-uaa-lib <https://github.com/cloudfoundry/cf-uaa-lib>, Please update to version *3.2.4* 3. If you are using a third party library for OAuth/OpenID Connect, most likely it already supports parsing the response properly and there is no action required. Please test your Services or Application using UAA with the *uaa.id_token.disable* set to *false* *[1] Details* During invokation of the /oauth/authorize URL, the normal process is to specify response_type=code Some libraries have been specifying response_type=code+id_token This is a OpenID Connect extension. Previously the UAA ignored the id_token response_type, but now we have added support. This changes the response of the /oauth/authorize. The main change is that the Location header will have a Fragment (#) and not a Query String (?) $ uaac target http://login. <http://login.identity.cf-app.com/> {system-domain} $ uaac token owner get cf marissa -s "" -p koala $ uaac curl " <http://login.identity.cf-app.com/oauth/authorize?grant_type=authorization_code&> http://login. <http://login.identity.cf-app.com/>{system-domain} /oauth/authorize?grant_type=authorization_code&response_type=code &client_id=ssh-proxy&redirect_uri=http://localhost" $ uaac curl "http://login. <http://login.identity.cf-app.com/> {system-domain}/oauth/authorize?grant_type=authorization_code& <http://login.identity.cf-app.com/oauth/authorize?grant_type=authorization_code&> response_type=code+id_token&client_id=ssh-proxy&redirect_uri= http://localhost" Location: http://localhost?code=5G9Rm1 *response_type=code+id_token* Location: http://localhost# token_type=bearer&id_token=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMjJmMGUzOC0xNTZlLTRjY2EtYTFmMS1kMGMwNTNkMDY1ZGMiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoibGRhcCIsImlzcyI6Imh0dHBzOi8vdWFhLmlkZW50aXR5LmNmLWFwcC5jb20vb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJzc2gtcHJveHkiLCJhdWQiOlsic3NoLXByb3h5Il0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiMDIyZjBlMzgtMTU2ZS00Y2NhLWExZjEtZDBjMDUzZDA2NWRjIiwiYXpwIjoic3NoLXByb3h5Iiwic2NvcGUiOlsib3BlbmlkIl0sImV4cCI6MTQ0MjQ2NDM5MSwiaWF0IjoxNDQyNDIxMTkxLCJqdGkiOiI2ZTBmOThlZS02YzNjLTQzN2UtOGYzZi0yNjE2ZDZhM2U2NzkiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5jb20iLCJyZXZfc2lnIjoiZGJlYjYxN2UiLCJjaWQiOiJzc2gtcHJveHkifQ.AQtGa5N9QW47jAehCEIz9K46yNTIJpK5SKrp5IqAZ2AqZhNLzwryLw0wJmZkZ3v3wXqpwm_IryJnJmzui0hsM8ZYsyeDjtGtmd35QjxBe785nVGe2GZeyVQ0CqLNW1C7w34VCnvSfIxo8ecstaS4O0MkBxjQR0CQRQ3XHS4RIJg& code=aGp5Ig &expires_in=43199&scope=cloud_controller.read%20cloud_controller.write%20openid&jti=6e0f98ee-6c3c-437e-8f3f-2616d6a3e679 Thanks, Sree Tummidi Sr. Product Manager Identity - Pivotal Cloud Foundry |
|
|