Supported grant type check not following oidc spec

Question

Supported grant type check not following oidc spec

markusheiliger opened this issue 2 years ago · comments

Description
The oidc service checks the list of supported grant types returned by the provider discovery call. Based on the oidc spec this value is optional. If omitted, the supported grant types are: 'authorization_code' and 'implicit'

Expected Behavior
If the oidc provider omits the list of supported grant types, clutch should fall back to default set of supported grant types as stated in the oidc spec.

Actual Behavior
Implementation doesn't check for an empty list of supported grant types to do a fall back.

Version
commit 2689290

Other Context
n/a

Daniel Hochman · Answer 1 · Thu Mar 24 2022 06:41:49 GMT+0800 (China Standard Time)

@markusheiliger Thanks for the report! Do you by chance recall what error was returned? It should either be oidc: claims not set or grant type 'authorization_code' not supported by provider.

Markus Heiliger · Answer 2 · Thu Mar 24 2022 15:21:49 GMT+0800 (China Standard Time)

@danielhochman the check method returns grant type 'authorization_code' not supported by provider which is wrong in this case. To make the scenario a little bit more concrete; I'm trying to get clutch running with Azure AD as oidc provider. However, Azure AD doesn't return any supported grant types during the discovery call. Which means clutch should fall back to the default list of supported grant types as Azure AD supports 'authorization_code'.