Skip to content

Commit

Permalink
Prepare release.
Browse files Browse the repository at this point in the history
  • Loading branch information
Apollo3zehn committed Feb 29, 2024
1 parent b121162 commit 30eb335
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 18 deletions.
5 changes: 5 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,8 @@
## v2.0.0-beta.23 - 2024-02-29

### Bugs fixed:
- Do not store all tokens in cookie to solve the "Missing parameters: id_token_hint" error because that makes the cookie very large (> 8 kB). Now only the `id_token` is stored there.

## v2.0.0-beta.22 - 2024-02-28

### Bugs fixed:
Expand Down
53 changes: 36 additions & 17 deletions src/Nexus/Core/NexusAuthExtensions.cs
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.Cookies;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Authentication.OpenIdConnect;
using Microsoft.AspNetCore.Authorization;
Expand Down Expand Up @@ -86,22 +87,6 @@ public static IServiceCollection AddNexusAuth(
options.ClientSecret = provider.ClientSecret;

options.CallbackPath = $"/signin-oidc/{provider.Scheme}";

/* OIDC spec RECOMMENDS id_token_hint (= id_token) to be added when
* post_logout_redirect_url is specified
* (https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
*
* To be able to provide that parameter the (large) ID token must
* become part of the auth cookie. The /connect/logout endpoint in
* NexusIdentityProviderExtensions.cs is then getting that logout_hint
* query parameter automatically (this has been tested!).
* This parameter then is part of the httpContext.Request.Query dict.
*
* Why do we enable this when this is just recommended? Because newer
* version of Keycloak REQUIRE it, otherwise we get a
* "Missing parameters: id_token_hint" error.
*/
options.SaveTokens = true;
options.SignedOutCallbackPath = $"/signout-oidc/{provider.Scheme}";

options.ResponseType = OpenIdConnectResponseType.Code;
Expand All @@ -120,6 +105,40 @@ public static IServiceCollection AddNexusAuth(

options.Events = new OpenIdConnectEvents()
{
OnTokenResponseReceived = context =>
{
/* OIDC spec RECOMMENDS id_token_hint (= id_token) to be added when
* post_logout_redirect_url is specified
* (https://openid.net/specs/openid-connect-rpinitiated-1_0.html)
*
* To be able to provide that parameter the ID token must become
* part of the auth cookie. The /connect/logout endpoint in
* NexusIdentityProviderExtensions.cs is then getting that logout_hint
* query parameter automatically (this has been tested!).
* This parameter is then part of the httpContext.Request.Query dict.
*
* Why do we enable this when this is just recommended? Because newer
* version of Keycloak REQUIRE it, otherwise we get a
* "Missing parameters: id_token_hint" error.
*
* Problem is very large size (> 8 kB) of cookie when setting
* options.SaveTokens = true; because then ALL OIDC tokens are stored
* in the cookie then.
*
* Solution: https://github.com/dotnet/aspnetcore/issues/30016#issuecomment-786384559
*/
context.Properties!.StoreTokens(new[]
{
new AuthenticationToken
{
Name = "id_token",
Value = context.TokenEndpointResponse.IdToken
}
});

return Task.CompletedTask;
},

OnTokenValidated = async context =>
{
// scopes
Expand Down
2 changes: 1 addition & 1 deletion version.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{
"version": "2.0.0",
"suffix": "beta.22"
"suffix": "beta.23"
}

0 comments on commit 30eb335

Please sign in to comment.