[Authorization Code Flow Steps] Seem to not includes id_token when getting the token

[Slals]

Hello guys,

Not sure if the following is a bug.

Describe the bug

The flow "Authorization Code Flow" with openid scope and code as response_type does not return the id_token data when fetching the token after getting the code.

https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth

To Reproduce

Auth endpoint /oauth/auth

Example URL `http://localhost:1111/oauth/auth?response_type=code&scope=openid%20email%20profile%20address&client_id=some_id&state=eefaa99407ba2b36f661cf35c656b7cb&redirect_uri=http://avalidurl&username=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

ctx := req.Context()

	if req.Method == http.MethodGet {
		req.ParseForm()
	}

	ar, err := oauth2Provider.NewAuthorizeRequest(ctx, req)
	if err != nil {
		oauth2Provider.WriteAuthorizeError(rw, ar, err)
		return
	}

        // When this is not called, the token response in /oauth/token does not includes id_token
        // When this is called I get a server_error err when calling NewAuthorizeResponse
	ar.GrantScope("openid")

	username := req.Form.Get("username")
	if username == "" {
		// do stuff
                return
	}

	response, err := oauth2Provider.NewAuthorizeResponse(ctx, ar, session)
	if err != nil {
		oauth2Provider.WriteAuthorizeError(rw, ar, err)
		return
	}

	oauth2Provider.WriteAuthorizeResponse(rw, ar, response)

Token Endpoint /oauth/token

ctx := req.Context()
	session := new(fosite.DefaultSession)

	ar, err := oauth2Provider.NewAccessRequest(ctx, req, session)
	if err != nil {
		oauth2Provider.WriteAccessError(rw, ar, err)
		return
	}

        // Not sure if it's required
	ar.GrantScope("openid")
	for _, s := range ar.GetRequestedScopes() {
		switch s {
		case "profile":
			fallthrough
		case "address":
			fallthrough
		case "email":
			fallthrough
		case "phone":
			ar.GrantScope(s)
		}
	}

        // This should create a id_token but it's not present in the returned map
        // Looking at the source ocde NewAccessResponse doesn't event return any id_token (could be wrong)
	response, err := oauth2Provider.NewAccessResponse(ctx, ar)
	if err != nil {
		oauth2Provider.WriteAccessError(rw, ar, err)
		return
	}

	oauth2Provider.WriteAccessResponse(rw, ar, response)

Expected behavior

response_type=code and scope=openid should returns a id_token when getting the token, after a successful auth flow.

Environment

• Version: go1.14.2 fosite v0.32.2
• Environment: Go (oauth) server tunneled through ngrok.

Additional context

I hope I gave enough info, I can provide more.

Any idea what's wrong here? I'm very suspicious about GrantScope, is required to call it after NewAuthorizeRequest?

[mitar]

Yes, GrantScope is required. I was bitten by that as well. The interesting thing is that it has to be both in token and authorization endpoint: #435

So you should do a loop like:

	for _, scope := range ar.GetRequestedScopes() {
		ar.GrantScope(scope)
	}

See also: https://github.com/ory/fosite-example/blob/master/authorizationserver/oauth2_auth.go#L49-L51

[Slals]

Hey @mitar,

Nice! Thanks, and thanks for the tip using GetRequestedScopes() in loop.

It's out of the scope, I'll close this issue after, how can I get more info about the error I get? Granting the scope openid returns a server_error after doing NewAuthorizeResponse

[mitar]

For that you will have to provide full reproduction.

[mitar]

Also, for posterity, see this comment as well.

[Slals]

Hello @mitar,

Thanks for your help. I dove a bit in the code to first have more information from errors, for reference in case people try to parse fosite errors, just do fosite.ErrorToRFC6749Error(err). You will be able to read .Debug to know whats going on inside fosite.

My issue here is that I was using a wrong session for openid, I used fosite.DefaultSession which doesn't appear to implement the required functions for openid.

I feel like the README has to be updated accordingly, in the example it is not mentionning the fosite.DefaultSession only works for OAuth2 flow. I can update it if you think it's necessary.

To get the good session for openid I wrote those lines :

session := openid.NewDefaultSession()
session.Claims.Subject = username

Didn't test everything yet, but I got through the authorize process.

[mitar]

Example has this. Have you checked example when working on this?

[Slals]

Nope, I was mistakenly refering to a comment line saying This little code snippet sets up a full-blown OAuth2 and OpenID Connect example. in the quickstart. I'm closing this issue since there is no bug, I've got it working by implementing has presented in fosite-example.

[mitar]

I would leave this issue open because yes, that example in README does not work as OpenID Connect provider because it lacks this granting of scopes.