OpenID Provider Metadata is not valid

[ahukkanen]

The OpenID provider metadata that is generated here is not valid:

profile-gdpr-api-tester/gdpr_api_tester/routes.py

Lines 24 to 27 in e4e8f5a

	data = {
	"issuer": app_config.ISSUER,
	"jwks_uri": jwks_uri,
	}

This is a problem for connecting libraries that validate that the returned metadata is correct as defined by the specification.

As per the specification, the following metadata values are marked as REQUIRED:

• issuer - OK
• authorization_endpoint - MISSING
• jwks_uri - OK
• response_types_supported - MISSING
• subject_types_supported - MISSING
• id_token_signing_alg_values_supported - MISSING

The following data definition (for example) would return valid metadata:

    data = {
        "issuer": app_config.ISSUER,
        "authorization_endpoint": f"{app_config.ISSUER}/auth",
        "jwks_uri": jwks_uri,
        "response_types_supported": ["id_token"],
        "subject_types_supported": ["public", "pairwise"],
        "id_token_signing_alg_values_supported": ["RS256"],
    }

[akikoskinen]

Good report 👍 This shall be fixed.

[voneiden]

@ahukkanen Are you aware of any requirements regarding the authorization_endpoint? I set it to a dummy value of https://localhost/openid/authorize in the PR, but feel free to leave a comment before I merge.

[ahukkanen]

@voneiden The specification does not specify any particular format, so it is up to the OIDC server implementation.

For the tester tool (or the service connecting to the tester tool) it is not used for anything, so it can be anything and does not need to respond to any requests, as long as it is defined in the metadata.

[akikoskinen]

As intermediary news, the fix is already in the container image 0.1.0. But not yet in PyPI, that's coming up.