OIDC visualizer #251
OIDC visualizer #251
Conversation
✅ Deploy Preview for criipto-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
nmoskaleva
force-pushed
the
oidc-visualizer
branch
6 times, most recently
from
e582d06 to
ef1ba51
Compare
|
I just tried this and it's really cool! |
|
@fkj thanks a lot for checking it out! I keep asking myself if we need the option to change client configs at all. |
I think once you're at the point where you need custom configuration, you should probably use the Authorize URL Builder anyway. Or your own implementation. |
The intention is for developers to better understand OIDC. And as you said, they can always test their own application elsewhere. |
I think we should allow custom configuration, but just let the user see the error messages. |
| scope: string; | ||
| }; | ||
|
|
||
| const OidcVisualizer = () => { |
There was a problem hiding this comment.
Very large component, suggest maybe breaking seperate steps into seperate components?
| ) : ( | ||
| <button onClick={proceedToVerifyWT} className={baseBtnStyles}> | ||
| Next | ||
| </button> |
There was a problem hiding this comment.
Make it possible to exchange the code again, to trigger the error branch of code replay, this has been requested by @sgryt to show to auditors.
|
@nmoskaleva Looks really freaking awesome so far! |
|
|
||
| <p className="mt-4 text-gray-600"> | ||
| This token is cryptographically signed with the HS256 algorithm. We'll use the | ||
| client secret to confirm the signature is valid. |
There was a problem hiding this comment.
This section is incorrect. If it's a signature from Verify then it's not HS256 and it's assymetrically signed.
| redirectUri: `${typeof window !== 'undefined' ? window.location.origin : 'https://docs.idura.app'}/verify/guides/oidc-visualizer`, | ||
| scope: 'openid', | ||
| responseType: 'code', | ||
| }; |
There was a problem hiding this comment.
Wonder if we should also support private_key_jwt?
Let the user pick
|
@mickhansen thanks for reviewing, I'll address the comments and add more features 👍
I used blue intentionally, yes. We had a discussion about using colors other than our brand colors in some cases. But I'll run the design through Trine once it's done.
We have this double wrapping scattered in the docs, e.g. https://docs.idura.app/verify/getting-started/oidc-intro/#example-authorization-url |
@nmoskaleva Oh, that's also a bug :D |
nmoskaleva
force-pushed
the
oidc-visualizer
branch
5 times, most recently
from
4b85dcd to
cf34207
Compare
|
Suggest perhaps allowing people to pick acr_values? Having the mock one would be beneficial in a few use cases. |
| Now, the authorization code can be exchanged for an access token and an ID token. To | ||
| do this, the authorization server sends a POST request to your token endpoint, | ||
| including the authorization code and the client credentials. Note that the | ||
| authorization code is valid for a single use. |
There was a problem hiding this comment.
This description is a bit awkward?
"The authorization server", I assume you mean "Your application server sends a POST request to the token endpoint".
Be cool if this also showed headers (so one can see the client credentials are used), perhaps visualized more in the standard HTTP visualization format. |
| </div> | ||
|
|
||
| <p className="mt-4 text-gray-600"> | ||
| The token is cryptographically signed by Idura Verify using the RSA algorithm. To |
There was a problem hiding this comment.
The use of RSA could change, perhaps either detect from the token header or just say "signed".
There was a problem hiding this comment.
Updated (to simply "signed") in 9ffc46a
nmoskaleva
force-pushed
the
oidc-visualizer
branch
from
a4e3f34 to
9ffc46a
Compare
|
acr_values added in 5b27c01 |
|
@nmoskaleva This is absolutely great! I'm very much looking forward to showing it to our auditors next time around :) Some ideas for future (post-holiday) unhappy-path options below.
I don't suppose that browsers will let us tamper with the HTTP version for a request (@mickhansen ?) - but would be great to allow for modification to, say, |
|
Awesome suggestions @sgryt, I don't think any of them were on the agenda 👍 |
@sgryt I'm 99% sure you can't do this in the browser. |
Why do we do it in the visualizer then? : ) |
|
Supporting mock auth would be ideal as well, for quicker run throughs |
|
Visually this looks different than the rest of the docs still, also regarding font sizes etc, have you touched bases with Trine on this? |
About to chat with Trine in about an hour! :) |
@mickhansen I was getting CORS errors trying to use Basic auth header, and came to a conclusion this won't work in a browser. Is there a way around it? |
@nmoskaleva Hmm, should work, but we did recently apply some CORS fixes to PAR. |
nmoskaleva
force-pushed
the
oidc-visualizer
branch
from
5b27c01 to
68a5cee
Compare
This allows developers run the OIDC flow using their own application credentials.
nmoskaleva
force-pushed
the
oidc-visualizer
branch
from
68a5cee to
d4f1a25
Compare
The first iteration of OIDC Visualizer.
https://deploy-preview-251--criipto-docs.netlify.app/verify/guides/oidc-visualizer/
TO DO: