OpenID connect endpoint discovery can fail

Description

As convenience, the OpenID connect configuration tries to discover the OpenID connect endpoint automatically for Google and Office365.

If the auto discovery fails, then the configuration is not provisioned and as such the provider is not registered. It seems that Office365 does have rate limitations on their discovery endpoint.

The workaround is to provide the discovery information as part of the configuration.

Activity

Show:
Sander Mak
December 1, 2017, 11:01 AM

Ah, didn't know that. And, I already thought the more gradual approach is what this issue was proposing...

Jan Willem Janssen
December 1, 2017, 10:57 AM

: it already does cache the discovery information (rather aggressively actually). We might consider using a more gradual approach: use the preconfigured value if the automatic discovery fails.

Sander Mak
December 1, 2017, 10:54 AM

Another alternative is somehow caching the discovery response, it's not as if this is rapidly changing information.

Jan Willem Janssen
December 1, 2017, 10:48 AM

It appears the Office365 has a rather aggressive rate limiter put before their endpoints: if you make too many requests in a certain period, you're blocked automatically for a certain time. I also see this happening locally if I try to make many OIDC authentication requests after each other during testing. This is not something we can fix at our end, other than providing the OIDC configuration as part of the configuration of the IdProvider.

Won't Fix

Assignee

Unassigned

Reporter

Jan Willem Janssen