node-oauth2-jwt-bearer icon indicating copy to clipboard operation
node-oauth2-jwt-bearer copied to clipboard
verified publisher icon auth0

Allow better control for discovery endpoints to use

Open marchchad opened this issue 1 year ago • 1 comments

Checklist

  • [X] I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • [X] I have searched the issues and have not found a suitable solution or answer.
  • [X] I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • [X] I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I'm setting up an express js API to verify tokens issued by a Keycloak v23 instance. Keycloak provides a /.well-known/openid-configuration endpoint but does not publish a /.well-known/oauth-autorization-server endpoint. When using the express-oauth2-jwt-bearer package, it took me reading the source code to see that the only way to use the package was to provide the full url to the well known endpoint so it could short circuit the asserts here: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L31. Otherwise the package also attempts to fetch the oauth-authorization-server endpoint, which isn't available on Keycloak: https://github.com/auth0/node-oauth2-jwt-bearer/blob/main/packages/access-token-jwt/src/discovery.ts#L43-L47

Describe the ideal solution

There's multiple solutions to this problem:

  • Improved documentation for use in different auth scenarios, such as OIDC only providers
  • Configuration Option / Environment Variable to specify OIDC, OAUTH, or BOTH. Could even default to both, but provide option to only attempt to discovery of one of the 3 scenarios
  • Don't fail initialization if both aren't available. Attempt discovery and verification of both endpoints, fail it both are unavailable, but log a warning if one of the two are not available

Alternatives and current workarounds

The current workaround is to specify the full URL to the /.well-known/openid-configuration endpoint. As far as I can tell, this configuration option is not documented.

Additional context

No response

marchchad avatar Sep 02 '24 20:09 marchchad

I forgot to specify, but the error I was receiving is the error specified in #132

InvalidTokenError: Failed to fetch authorization server metadata

marchchad avatar Sep 02 '24 20:09 marchchad

Hi @marchchad 👋

Thanks for the detailed report on the Keycloak discovery endpoint issue. You've hit on a really important point about making our library more flexible for different identity providers.

There are a few ways we could tackle this, and I'm keen to get more input from the community. Hence, I'd like to move this over to our Discussions section.

  1. Enhancing documentation: We could provide clearer guidance on using the full URL workaround.
  2. Adding configuration options: We could introduce a way to specify which discovery endpoints to use.
  3. Modifying behavior: We could change the library to succeed if at least one endpoint is available.

Before we make any changes to the core library, it would be great to hear from other users about their experiences with various identity providers. This will help us land on a solution that works broadly.

Could you share a bit more about your Keycloak setup in the discussion? Any extra details about your configuration would be super helpful as we design a fix.

In the meantime, the workaround you've already found (using the full URL to the discovery endpoint) is definitely the way to go.

Thanks again for bringing this to our attention.

arpit-jn avatar Jun 05 '25 17:06 arpit-jn