Openid Misconfigured

elmarket · 2월 10, 2023, 10:53오전

Openid seems to be misconfigured.

https://kauth.kakao.com/.well-known/openid-configuration

Returns

{
claim_types_supported: [ ‘normal’ ],
claims_parameter_supported: false,
grant_types_supported: [ ‘authorization_code’, ‘refresh_token’ ],
request_parameter_supported: false,
request_uri_parameter_supported: true,
require_request_uri_registration: false,
response_modes_supported: [ ‘query’, ‘fragment’ ],
token_endpoint_auth_methods_supported: [ ‘client_secret_basic’ ],
issuer: ‘https://kauth.kakao.com’,
authorization_endpoint: ‘카카오계정’,
token_endpoint: ‘https://kauth.kakao.com/oauth/token’,
userinfo_endpoint: ‘https://kapi.kakao.com/v1/oidc/userinfo’,
jwks_uri: ‘https://kauth.kakao.com/.well-known/jwks.json’,
subject_types_supported: [ ‘public’ ],
id_token_signing_alg_values_supported: [ ‘RS256’ ],
response_types_supported: [ ‘code’ ],
code_challenge_methods_supported: [ ‘S256’ ],
claims_supported: [
‘iss’, ‘aud’,
‘sub’, ‘auth_time’,
‘exp’, ‘iat’,
‘nonce’, ‘nickname’,
‘picture’, ‘email’
]
}

token_endpoint_auth_methods_supported should be [‘client_secret_post’] not [‘client_secret_basic’]

woody.ho · 2월 10, 2023, 1:03오후

@elmarket
Hello.

I think you said that if you omit this option, the default will be “client_secret_basic”.

Thank you for your good point.
We will review it so that the configuration can be modified.

cc @tim.l @lars.1

woody.ho · 2월 23, 2023, 5:24오전

@elmarket
The metadata has been fixed.
Thank you.

elmarket · 4월 11, 2023, 6:21오전

@woody.ho @tim.l @lars.1

Thank you for changing the configuration.

Here is one more suggestion that may improve Kakao’s openid authentication flow.

As described in the docs, if you want to log in a user with openid, you may redirect them with the scope set to “openid account_email profile_image profile_nickname”, for example.

But if the user has never been linked to the Kakao Application, then the user sees the Consent prompt.

Even if the user consents to the scope, the “openid” scope is not included in the subsequent callback.

Standard openid clients, like ones used by Firebase auth, will throw an error because there is no “openid” scope so no id_token is returned to the callback.

If “openid” is part of the original scope, please consider passing it on to the callback if the user consents to the other Consent Items. Of course, you will want to test that account_email, profile_image, and profile_nickname all have been consented to by the user because they will be automatically included in the openid token.

Just an idea.

tim.l · 4월 11, 2023, 8:52오전

hi~

Thank you for the information.
I have forwarded it to the oidc representative.
I’ll share it with you as soon as I get feedback.

tim.l · 4월 12, 2023, 7:27오전

@elmarket hi~

There was a problem at the time of first consent.
It has been fixed, so please check it.

Thank you.