Action Required : UAA Backwards Compatibility for OpenID Connect ID Token Response Type


Sree Tummidi
 

Hi All,

Starting with *CF Release 220*, we have added OpenID Connect ID Token
support in UAA.

Currently this feature is *disabled* by default to remain fully backwards
compatible.


uaa.id_token.disable

description: When set to true, requests to /oauth/authorize will ignore the
response_type=id_token parameter

*default: true*


Our plan is to provide a *30 Day window *(roughly cf-release slated for 2nd
week of November) for Service Authors and other integrators using UAA as
the token server. We will be removing the feature flag and support ID token
response by default after 2nd week of November

*Action Required:*

1. If you have a custom implementation of OAuth client, please update
the parsing logic to handle the response of the /oauth/authorize endpoint.
The main change is that the Location header will have a Fragment (#) and
not a Query String (?). *See [1] below*
2. If you are using the cf-uaa-lib
<https://github.com/cloudfoundry/cf-uaa-lib>, Please update to version
*3.2.4*
3. If you are using a third party library for OAuth/OpenID Connect, most
likely it already supports parsing the response properly and there is no
action required.



Please test your Services or Application using UAA with the
*uaa.id_token.disable* set to *false*



*[1] Details*

During invokation of the /oauth/authorize URL, the normal process is to
specify response_type=code

Some libraries have been specifying response_type=code+id_token

This is a OpenID Connect extension. Previously the UAA ignored the id_token
response_type, but now we have added support. This changes the response of
the /oauth/authorize. The main change is that the Location header will have
a Fragment (#) and not a Query String (?)

$ uaac target http://login. <http://login.identity.cf-app.com/>
{system-domain}

$ uaac token owner get cf marissa -s "" -p koala

$ uaac curl "
<http://login.identity.cf-app.com/oauth/authorize?grant_type=authorization_code&>
http://login. <http://login.identity.cf-app.com/>{system-domain}
/oauth/authorize?grant_type=authorization_code&response_type=code
&client_id=ssh-proxy&redirect_uri=http://localhost"

$ uaac curl "http://login. <http://login.identity.cf-app.com/>
{system-domain}/oauth/authorize?grant_type=authorization_code&
<http://login.identity.cf-app.com/oauth/authorize?grant_type=authorization_code&>
response_type=code+id_token&client_id=ssh-proxy&redirect_uri=
http://localhost"

Location: http://localhost?code=5G9Rm1


*response_type=code+id_token*

Location: http://localhost#
token_type=bearer&id_token=eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiIwMjJmMGUzOC0xNTZlLTRjY2EtYTFmMS1kMGMwNTNkMDY1ZGMiLCJ1c2VyX25hbWUiOiJtYXJpc3NhIiwib3JpZ2luIjoibGRhcCIsImlzcyI6Imh0dHBzOi8vdWFhLmlkZW50aXR5LmNmLWFwcC5jb20vb2F1dGgvdG9rZW4iLCJjbGllbnRfaWQiOiJzc2gtcHJveHkiLCJhdWQiOlsic3NoLXByb3h5Il0sInppZCI6InVhYSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiMDIyZjBlMzgtMTU2ZS00Y2NhLWExZjEtZDBjMDUzZDA2NWRjIiwiYXpwIjoic3NoLXByb3h5Iiwic2NvcGUiOlsib3BlbmlkIl0sImV4cCI6MTQ0MjQ2NDM5MSwiaWF0IjoxNDQyNDIxMTkxLCJqdGkiOiI2ZTBmOThlZS02YzNjLTQzN2UtOGYzZi0yNjE2ZDZhM2U2NzkiLCJlbWFpbCI6Im1hcmlzc2FAdGVzdC5jb20iLCJyZXZfc2lnIjoiZGJlYjYxN2UiLCJjaWQiOiJzc2gtcHJveHkifQ.AQtGa5N9QW47jAehCEIz9K46yNTIJpK5SKrp5IqAZ2AqZhNLzwryLw0wJmZkZ3v3wXqpwm_IryJnJmzui0hsM8ZYsyeDjtGtmd35QjxBe785nVGe2GZeyVQ0CqLNW1C7w34VCnvSfIxo8ecstaS4O0MkBxjQR0CQRQ3XHS4RIJg&
code=aGp5Ig
&expires_in=43199&scope=cloud_controller.read%20cloud_controller.write%20openid&jti=6e0f98ee-6c3c-437e-8f3f-2616d6a3e679


Thanks,
Sree Tummidi
Sr. Product Manager
Identity - Pivotal Cloud Foundry

Join cf-dev@lists.cloudfoundry.org to automatically receive all group messages.