OIDC support: hardcoded presumption that is only valid for Authentik

[dataway]

romm/backend/handler/auth/base_handler.py

Line 176 in 9d90749

jwks_url = f"{OIDC_SERVER_APPLICATION_URL}/jwks/"

The OIDC functionality assumes that the JWKS URL is "{OIDC_SERVER_APPLICATION_URL}/jwks/"

This is incorrect behaviour - the JWKS URL can be anywhere. It should be configurable, or - better - be autodiscovered using OpenID Connect Discovery.

[adamantike]

@dataway, thanks for reporting this incorrect behavior.

Is this something you would be able to work on?

[gantoine]

I should be able to tackle this, since we already fetch from well-known/openid-configuration we can use that to get the jwks_uri in most cases.

[dataway]

@dataway, thanks for reporting this incorrect behavior.

Is this something you would be able to work on?

I could have a look but I'm not at all familiar with the code.

I will however be happy to test. I currently have Authentik, Keycloak and Zitadel running in my homelab.

[dataway]

Now I get a new error, but I think I know what the issue is and will try to fix it

INFO:      [RomM][base_handler][2024-12-23 16:00:31] Fetching JWKS from https://*****/oauth/v2/keys
    |     cls.validate_dict_key(value)
    |   File "/src/.venv/lib/python3.12/site-packages/joserfc/rfc7517/models.py", line 239, in validate_dict_key
    |     cls.binding.validate_dict_key_registry(data, cls.param_registry)
    |   File "/src/.venv/lib/python3.12/site-packages/joserfc/rfc7517/models.py", line 64, in validate_dict_key_registry
    |     raise ValueError(f'"{k}" {error}')
    | ValueError: "use" must be one of ['sig', 'enc']
    +------------------------------------

[gantoine]

@dataway going to close this as it should work now, but if you find a fix for your issue can you open a PR for it?