Using OpenIDConnect does not respect configuration scopes

[vahem2lu]

Code

    'myVeryFancyAuth' => array(
      'authoauth2:OpenIDConnect',
      // *** Required for all integrations ***
      'issuer' => 'https://issuer.something.i.know',
      'clientId' => 'myClientID',
      'clientSecret' => 'VerySecret',
      'scopes' => [ 'openid' ],

      // Most Optional settings for OAuth2 above can be used
      // *** New Optional ***
      // Customize post logout redirect, if you don't want to use the standard /module.php/authoauth2/loggedout.php
      #'postLogoutRedirectUri' => 'https://myapp.example.com/loggedout'
    ),

Results in SimpleSAMLphp error:

SimpleSAML\Error\AuthSource: Error with authentication source 'myVeryFancyAuth': Authentication failed: [invalid_scope] The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope 'profile'.

Backtrace:
5 modules/authoauth2/lib/OAuth2ResponseHandler.php:127 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleErrorResponse)
4 modules/authoauth2/lib/OAuth2ResponseHandler.php:86 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponseFromRequest)
3 modules/authoauth2/lib/OAuth2ResponseHandler.php:55 (SimpleSAML\Module\authoauth2\OAuth2ResponseHandler::handleResponse)
2 modules/authoauth2/www/linkback.php:5 (require)
1 lib/SimpleSAML/Module.php:266 (SimpleSAML\Module::process)
0 www/module.php:10 (N/A)

[pradtke]

Hi @vahem2lu, As far as I know, there are no default scopes defined in the module, it only sends what you configure. You can review the debugging section to enable http logs to see what HTTP requests are being sent to the OIDC OP and determine if the module is sending profile or if it is an issue at the OP. If the module is sending profile then you'll need to debug further to determine where that scope is being set.

[vahem2lu]

Thanks for the tip!

So from the logs I saw request:

[eec40c6bf4] Saved state: '_12ff8d7594355b13fc583ce3313c390eb4598ff087:https://mySSPURL/simplesaml/module.php/core/as_login.php?AuthId=myAuthSourceName&ReturnTo=https.ut.ee.php.php'

See ReturnTo parameter - what the ... is this?
At least it has correct domain in it, but this is clearly not the full URL with the correct ReturnTo URL.

But at least scope is correct in request:

[eec40c6bf4] authoauth2:  redirecting to authorizeURL=https://myOIDCProviderUrl/oidc/authorize?state=authoauth2.ut.ee.php.php.ut.ee.php.php&scope=openid&response_type=code&approval_prompt=auto&redirect_uri=https.ut.ee.php.php&client_id=MyClientID

which results in error

[eec40c6bf4] authoauth2: linkback request=array (
'error' => 'invalid_scope',
'error_description' => 'The requested scope is invalid, unknown, or malformed. The OAuth 2.0 Client is not allowed to request scope \'profile\'.',

[pradtke]

I think you will need to check with the OIDC OP why they are returning an invalid_scope error when you request openid.
As for the weird looking urls in the logs it may depend on your logging system. I've seen rsyslog mangle urls in the logs, while logs to stderr seem fine.

[vahem2lu]

Isn't the error code that I'm not allowed to request profile, not openid. The requested scope does not change when I change scopes in configuration.

There are many scopes supported, none of them are working when using this module with OpenIDConnect. Always returns same error that profile is not allowed. Scope definition seems to work when using in OAUTH2.

"scopes_supported":["openid", "idcard", "mid", "smartid", "email", "phone", "eidas"]

[pradtke]

I thought, from your comments about debugging, that the module is correctly setting the scope correctly and doing a redirect to

https://myOIDCProviderUrl/oidc/authorize?state=authoauth2.ut.ee.php.php.ut.ee.php.php&scope=openid&response_type=code&approval_prompt=auto&redirect_uri=https.ut.ee.php.php&client_id=MyClientID

And that your OIDC OP is giving you the error. From what you said earlier you are trying to request scope openid which is what the logs seem to indicate the module is requesting. If that's not the case, then I don't understand which scopes you are trying to send in the request. You should be able to see the scope sent in your browser using the network trace developer tools built into your browser

[vahem2lu]

Funny is that from debug logs I see that only openid is being sent, but Chrome dev tools shows that profile scope is also being sent.
Doing a

curl -i https://mySSPURL/simplesaml/module.php/core/authenticate.php?as=myVeryFancyAuth

shows that 302 redirect is being made and there's a scope with openid profile

HTTP/1.1 302 Found
/---/
Location: https://myOIDCProviderUrl/oidc/authorize?state=authoauth2[output sanitized]%252Fsimplesaml%252Fmodule.php%252Fcore%252Fauthenticate.php%253Fas%253DmyVeryFancyAuth&scope=openid%20profile&response_type=code&approval_prompt=auto&redirUect_uri=[output sanitized]

It seems like authoauth2:OpenIDConnect is not affected when I edit scopes parameter?
File https://github.com/cirrusidentity/simplesamlphp-module-authoauth2/blob/master/lib/Providers/OpenIDConnectProvider.php#L56 line 56 gives "default scope", but it's not affected by config change. Is it by design?

Anyway, after changing default scope to only openid I will get same error as I was reporting here: #50
Will continue there, maybe it's worth for someone at some point of time in "near" future. 😄

[pradtke]

I've update the documentation https://github.com/cirrusidentity/simplesamlphp-module-authoauth2#openid-connect-usage on how to set the scopes when using the OIDC provider since it doesn't support scopes. I didn't realize that it didn't support setting scopes in the same manner as the rest of the module. I made a code change to allow it in the future.

[vahem2lu]

Thank you, fix is working and scope is now working like it should. :)
Can you, please, update Github release in order Composer to fetch this update? I've tested with master.