Skip to content

✨(oidc) add support for generic OIDC IdPs and OIDC clients as users #633

Open
piptouque wants to merge 4 commits into
openfun:mainfrom
piptouque:feat_generic_oidc_client_credentials
Open

✨(oidc) add support for generic OIDC IdPs and OIDC clients as users #633
piptouque wants to merge 4 commits into
openfun:mainfrom
piptouque:feat_generic_oidc_client_credentials

Conversation

@piptouque

@piptouque piptouque commented Jun 15, 2026

Copy link
Copy Markdown

Purpose

This PR contains multiple changes regarding OIDC

Fixes

Changes

Support for generic OIDC IdPs

More specifically, support for IdPs that return a token that is not a JWT.

The ID token and access token are different and have different purpose.
The ID token is always a JWT and contains user claims, but the access token may not be.
With this change, we get the user claims using the access token,
using the /userinfo OIDC endpoint, allowing us to support providers that return opaque access tokens.

Support OIDC clients as 'users'

Client applications, as authenticated with the 'client_credentials' flow, do not have a dedicated user.
As such, we can't get ID tokens for them, always opaque access tokens.
Instead, we authenticate them using their client_id.

But first, we need to check whether the access token we got was from a real Oauth2 user or a OIDC client application.
To do that, we query the /introspection endpoint of our IdP.
This requires that Ralph be registered as another client app to our IdP, and to have configured its client ID and secret.

Proposal

  • Fixed type of IDToken not following specs on aud (may be a list), exp and iat (may be floats)
  • Added query to /introspection endpoint when receiving an OIDC access token to determine if it comes from a ODIC client application or a user
  • Added query to /userinfo endpoint when receiving an OIDC access token if that token represents a user
  • Updated technical documentation
  • Updated CHANGELOG.md

piptouque added 4 commits June 15, 2026 11:23
🐛(oicd) fix types of id token
c586fd0 
The 'aud' claim may be a list:
https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3

The 'exp' and 'iat' claims
are `NumericDate` and
may be floats:
https://www.rfc-editor.org/rfc/rfc7519#section-2
🐛(oicd) fix ignore unrelated scopes
1f7d81e 
The server should ignore any
OAuth 2 scope that it does not
know, instead of returning an error.
✨(oidc) get user claims from /userinfo endpoint
998b35e 
The ID token and access token are different and
have different purpose.
The ID token is always a JWT and contains user claims,
but the access token may not be.
With this change, we get the user claims using the access token,
using the /userinfo OIDC enpoint,
allowing us to support providers that return opaque access tokens.
✨(oidc) add support for client apps as users
51a49e9 
Client applications, as authenticated with
the 'client_credentials' flow, do not have a dedicated user.
As such, we can't get ID tokens for them, always
opaque access tokens.
Instead, we authenticate them using their client_id.

But first, we need to check whether
the access token we got was from a real oauth2 user
or a client app.
To do that, we query the /introspection endpoint of our IdP.
This requires that Ralph
be registered s another client app to our IdP,
and to have configured its client ID and secret.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@piptouque