From f572b8af3e6711de97105e5d3527d12ef4f93ac5 Mon Sep 17 00:00:00 2001
From: Emanuele Aina <emanuele.aina@collabora.com>
Date: Thu, 11 Jul 2024 18:55:24 +0200
Subject: [PATCH] README: Point out some subtleties around client auth methods

With commit ad28b94f9b80 "Validate client_id and client_secret values"
the mediator started paying attention to client authentication.

Since our integration test cargo-culted some configuration parameter
straight from the GitLab configuration examples the mediator ended up
implementing what the OpenID-Connect spec calls the `client_secret_post`
authentication method, see
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication

Unfortunately, the spec also says that the actual default is
`client_secret_basic`, so any real world usage is bound to fail unless
some specific configuration is applied.

To minimize confusion, let's drop the cargo-culted option from the
example and add a note pointing to the spec and to the upstream
GitLab documentation, while still keeping the `client_secret_post` usage
in the GitLab integration test to exercise the codepath.

Signed-off-by: Emanuele Aina <emanuele.aina@collabora.com>
---
 README.md                  | 16 +++++++++++++++-
 docker-compose-gitlab.yaml |  2 ++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0153044..ab2c61e 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,6 @@ GITLAB_OMNIBUS_CONFIG: |
                 'scope' => ['openid', 'profile', 'email'],
                 'response_type' => 'code',
                 'issuer' => 'http://${oidc-provider}:${oidc-provider-port:-5556}/dex',
-                'client_auth_method' => 'query',
                 'discovery' => false, # GitLab discovery expects HTTPS
                 'uid_field' => 'preferred_username',
                 'client_options' => {
@@ -137,6 +136,21 @@ GITLAB_OMNIBUS_CONFIG: |
     ]
 ```
 
+Note that for the [OpenID-Connect spec](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
+`basic` is the default client auth method if no different mechanism is
+configured at the client registration time.
+
+Quoting the [GitLab documentation](https://docs.gitlab.com/ee/administration/auth/oidc.html):
+
+> - `client_auth_method` (optional) specifies the method used for authenticating
+>   the client with the OpenID Connect provider.
+>   - Supported values are:
+>     - `basic` - HTTP Basic Authentication.
+>     - `jwt_bearer` - JWT-based authentication (private key and client secret signing).
+>     - `mtls` - Mutual TLS or X.509 certificate validation.
+>     - Any other value posts the client ID and secret in the request body.
+>   - If not specified, this value defaults to `basic`.
+
 Remember to open `80` port and [create API token](https://docs.gitlab.com/ee/user/profile/personal_access_tokens.html#create-a-personal-access-token-programmatically) for later use by the AuthZ mediator.
 
 ### AuthZ mediator
diff --git a/docker-compose-gitlab.yaml b/docker-compose-gitlab.yaml
index d24d933..0d837b5 100644
--- a/docker-compose-gitlab.yaml
+++ b/docker-compose-gitlab.yaml
@@ -19,6 +19,8 @@ services:
               'scope' => ['openid', 'profile', 'email'],
               'response_type' => 'code',
               'issuer' => 'http://oidc-provider:5556/dex',
+              # opt-in to client_secret_post client auth for no particular reason
+              # https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
               'client_auth_method' => 'query',
               'discovery' => false, # GitLab discovery expects HTTPS
               'uid_field' => 'preferred_username',
-- 
GitLab