-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is Apex working for Google OpenId? #3
Comments
I haven't tested with Google OpenId yet. It would be interesting to know why it doesn't work. Nimbus has worked well so far (I've wanted to use something that uses native JDK crypto rather than buddy which uses Bouncy Castle). But there are alternatives such as Auth0's Java libs. See https://jwt.io/ too. |
Ok I haven't found official proof, but I think the access token of Google aren't meant to be valid JWT's and they don't have to be apparantly. This is mentioned by Okta: Also Google itself only talks about "validating an id token" A valid JWT token requires three parts, Google gives a string of two parts. So I tried multiple libraries and they all, rightfully, complain about the missing signature. I also didn't find a way to decode parts of this string into something meaningful. Only the API call of Google gives some feedback in the form of json:
So could it be that the code here: (merge
(when id-token
{:apex.oic/id-token-claims (jwt/claims id-token-jwt)})
{:apex.oic/access-token-claims (jwt/claims access-token-jwt)
:apex.oic/access-token access-token})) Should actually be: (merge
(when id-token
{:apex.oic/id-token-claims (jwt/claims id-token-jwt)})
(when access-token-claims
{:apex.oic/access-token-claims access-token-claims})
{:apex.oic/access-token access-token}) I'll continue assuming the later and wrap the validation of the access token in a try/catch to handle these exceptions. |
This is really useful. I suggest you continue on your fork until you're happy you've got the Google idp working - we can then compare the two versions, I can retest on the current list of other providers, and we can then merge. I'm sure Google are compliant with the standards and I've made erroneous assumptions here, and I'm more than happy to be corrected. |
I'm interested in using the OpenId part outside of Apex (*). I have been able to get your code working with Cognito. For Google It seems I'm getting an incomplete JWT token (see below). I'm not entirely sure how to test this with Apex (I would have to dive into the application structure). So I'm hoping you could confirm or deny that Google OpenId was working for you? If not, I might actually propose a fix later on.
Can you confirm you had success with Google? If so, I have broken something.
Error after receiving the JWT token (just before validation):
(*) I would love to use Apex for other use cases though!
The text was updated successfully, but these errors were encountered: