Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

openidc_ensure_discovered_data doesn't work in the face of errors #250

Closed
bodewig opened this issue Mar 6, 2019 · 4 comments
Closed

openidc_ensure_discovered_data doesn't work in the face of errors #250

bodewig opened this issue Mar 6, 2019 · 4 comments
Assignees

Comments

@bodewig
Copy link
Collaborator

bodewig commented Mar 6, 2019

openidc_ensure_discovered_data is there to ensure the discovery endpoint has been called. It does so by replacing opts.discovery when it contains the discovery URI with the parsed response of said discovery endpoint.

If calling the discovery endpoint fails for some reason the following code

  if type(opts.discovery) == "string" then
    opts.discovery, err = openidc_discover(opts.discovery, opts.ssl_verify, opts.timeout, opts.jwk_expires_in, opts.proxy_opts,
                                           opts.http_request_decorator)
  end

ends up setting opts.discovery to nil - which not only is not a string but also throws away the original configured uri.

This means a later call to the same function with the same opts table will not try to obtain discovery data at all. One can argue that we assume opts to be a fresh table for each invocation of authenticate but this is not necessarily true - and not documented as a recommendation.

At least I'd like to fix the code to only set opts.discovery if it is not nil. A more invasive - and probably not backwards compatible - change would be to use a different key for the parsed response, I'm not sure whether we want to go that far.

@zandbelt
Copy link
Contributor

zandbelt commented Mar 6, 2019

yeah, at the time it seemed to be fast and easy but I agree long term it may be better to differentiate; the fix sounds reasonable

@bodewig
Copy link
Collaborator Author

bodewig commented Mar 6, 2019

OK, I'll take care of it.

the fix sounds reasonable

including "use a different key in opts to store discovered data"?

@bodewig bodewig self-assigned this Mar 6, 2019
@zandbelt
Copy link
Contributor

zandbelt commented Mar 6, 2019

long term, yes; short term "fix the code to only set opts.discovery if it is not nil"

@bodewig
Copy link
Collaborator Author

bodewig commented Mar 6, 2019

see 1fec029 - unfortunately I forgot the magical "closes" commit message

@bodewig bodewig closed this as completed Mar 6, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants