Fix auto-discovery of OIDC details to be too eager #17389
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
NobodysNightmare
force-pushed
the
fix-eager-autodiscovery
branch
from
dd82dd3 to
526ff9f
Compare
For custom providers it was not possible to overwrite the discovered default settings, because the discovery would be re-triggered every time that any update was performed, thereby overwriting the custom settings just entered. The only way out so far was to completely remove the metadata_url from the provider. For custom providers the discovery now only takes place on the form where the metadata_url is being entered, not on other forms. For Google and Microsoft discovery remains active on all forms. Due to further implementation details this means that on creation they will first fetch their metadata when saving the client details form, while during edit they will also refetch on the name form (where Entra allows changing the tenant, which influences the URLs).
NobodysNightmare
force-pushed
the
fix-eager-autodiscovery
branch
from
526ff9f to
1480ed7
Compare
|
This is indeed weird practice. In SAML, we solved it in a way that this is a deliberate action (and service) to call the metadata discovery and update the model. The reasoning for this is that you might want to call this periodically in the background without actually updating the model. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For custom providers it was not possible to overwrite the discovered default settings, because the discovery would be re-triggered every time that any update was performed, thereby overwriting the custom settings just entered.
The only way out so far was to completely remove the metadata_url from the provider.
For custom providers the discovery now only takes place on the form where the metadata_url is being entered, not on other forms. For Google and Microsoft discovery remains active on all forms. Due to further implementation details this means that on creation they will first fetch their metadata when saving the client details form, while during edit they will also refetch on the name form (where Entra allows changing the tenant, which influences the URLs).
Ticket
OP#59928
What approach did you choose and why?
I made the fetching of settings from the OIDC Discovery endpoint an optional behaviour of the
UpdateService. This behaviour is now controllable through a query parameter to the update endpoint.This solution provided the smallest delta to what we already have. It's discussable whether the whole behaviour should be extracted to somewhere else. For example it surprised me at first, that during creation of an Entra provider, we do not fetch the endpoint details. However, we never did that, since the
CreateServicedoesn't have the corresponding code.This leads to the somewhat inconsistent behaviour that custom providers will only refetch their details on one form, while Google and Entra will refetch on all forms.
Merge checklist
Added/updated documentation in Lookbook (patterns, previews, etc)major browsers (Chrome, Firefox, Edge, ...)in a single browser