Using OpenID Connect to authenticate users
Hello all,
I want to use OpenID Connect to authenticate my users before gaining access to one of my application. I want to use my bigip as OpenID Provider (ie: the entity that authenticate the users) . My issue is the following: The OpendID provider (my bigip) never provides me with a ID Token. All I have is an “Access Token” and a “Refresh Token” but no “ID Token”.
Below is a description of my lab:
-
resource owner: ip address 10.10.255.1
-
bigip OpenID Provider: virtual server ip 10.10.255.221 (see below for the access policy)
*The agents are left with their default values.
- Client: I user openid debugger (https://oidcdebugger.com/) in order to request the authorization code. Then I request the Tokens using an html code.
I do the following for testing :
-
I request the authorization code from the authorization server (ie my virtual server) . For this I use openID Connect debugger to construct the request for me. Here is the request that I send :
? client_id=e1111098ccff5f81859f9fc83eaa000c29267803efc0bb5b & redirect_uri=https://oidcdebugger.com/debug & scope=openid myscope & response_type=code & response_mode=form_post & state=toto & nonce=7r8saarltr
After sending this request I enter my credentials (in the logon agent), I click on authorize then the virtual server correctly redirects me to:
https://oidcdebugger.com/debug code=cae85f6fd33c6b27f56f536b6fd9af2ca0fc78e69ac3d13799533c143b38b4ac&state=toto”
I now have a correct authorization code that I can exchange for an “access token” AND a “ID Token” .
-
I then send a POST to get the access and ID Tokens using the following HTML code :
*note the presence of the “openid” in the scope parameter.
However, this is what I get from the authorization server (see in the comment) :
-> I have No “ID TOKEN” ☹
Could you please help me configure my access policy so that it supports OpenID Connect and sends me an “ID Token” ??