Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidc: hydra as federated user auth for AWS Console/API #315

Closed
SonOfBytes opened this issue Dec 1, 2016 · 5 comments
Closed

oidc: hydra as federated user auth for AWS Console/API #315

SonOfBytes opened this issue Dec 1, 2016 · 5 comments
Labels
rfc A request for comments to discuss and share ideas.

Comments

@SonOfBytes
Copy link

I'm looking to do a spike in using hydra as an ECS service that provides AWS Console/API federated services using Open Connect ID.

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html

The first hurdle I hit was that it appears the when setting up an identity provider in AWS for Open Connect ID that it is hitting /.well-known/openid-configuration

This seems to be requesting a Thumbprint for the OIDC IDP

http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc_verify-thumbprint.html

What is the best suggested way of delivering the requested thumbprint using hydra?
@aeneasr
Copy link
Member

aeneasr commented Dec 1, 2016 via email

@SonOfBytes
Copy link
Author

SonOfBytes commented Dec 1, 2016
edited
Loading

I'm quite new to iidc and hydra - so I'll probably have the fog of ignorance to work through :P

Looking at a sample else where this appears to be the broad format

{
  "issuer": "https://some-auth-service.com/",
  "authorization_endpoint": "https://some-auth-service.com/authorize",
  "token_endpoint": "https://some-auth-service.com/oauth/token",
  "userinfo_endpoint": "https://some-auth-service.com/userinfo",
  "jwks_uri": "https://some-auth-service.com/.well-known/jwks.json",
  "scopes_supported": [
    "cut_for_brevity"
  ],
  "response_types_supported": [
    "code",
    "token",
    "code token"
  ],
  "response_modes_supported": [
    "query",
    "fragment",
    "form_post"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "HS256",
    "RS256"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "claims_supported": [
    "cut_for_brevity"
  ]
}

@aeneasr
Copy link
Member

aeneasr commented Dec 1, 2016

Jup that looks about right, still going to need the jwks discovery, which should also sort of look like this document (but point to the jwk sets instead)

@aeneasr aeneasr added the feat New feature or request. label Dec 1, 2016
@aeneasr aeneasr added request and removed feat New feature or request. labels Dec 13, 2016
@aeneasr aeneasr changed the title Hydra as federated user auth for AWS Console/API oidc: hydra as federated user auth for AWS Console/API Dec 13, 2016
@SonOfBytes
Copy link
Author

Ref: https://openid.net/specs/openid-connect-discovery-1_0.html

@aeneasr
Copy link
Member

aeneasr commented Jun 5, 2017

this is now implemented

@aeneasr aeneasr closed this as completed Jun 5, 2017
@aeneasr aeneasr added rfc A request for comments to discuss and share ideas. and removed request labels Aug 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
rfc A request for comments to discuss and share ideas.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@SonOfBytes @aeneasr