OIDC visualizer

[nmoskaleva]

The first iteration of OIDC Visualizer.
https://deploy-preview-251--criipto-docs.netlify.app/verify/guides/oidc-visualizer/

TO DO:

• Make it possible to trigger code exchange more than once
• Add FTN flow
• Add CIBA

[netlify]

✅ Deploy Preview for criipto-docs ready!

Name	Link
🔨 Latest commit	5b27c01
🔍 Latest deploy log	https://app.netlify.com/projects/criipto-docs/deploys/694a450927f4cb00080c0467
😎 Deploy Preview	https://deploy-preview-251--criipto-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[fkj]

I just tried this and it's really cool!
I don't think we have a good way to check whether the configuration is correct other than just running an authentication. It would probably require some interaction with the dashboard.

[nmoskaleva]

@fkj thanks a lot for checking it out! I keep asking myself if we need the option to change client configs at all.

[fkj]

@fkj thanks a lot for checking it out! I keep asking myself if we need the option to change client configs at all.

I think once you're at the point where you need custom configuration, you should probably use the Authorize URL Builder anyway. Or your own implementation.
But I guess it depends on what the intended target audience and use case for this is?

[nmoskaleva]

But I guess it depends on what the intended target audience and use case for this is?

The intention is for developers to better understand OIDC. And as you said, they can always test their own application elsewhere.

[mickhansen]

Maybe there is a good way to validate input before saving? OR maybe there is no sense to allow custom client configurations at all.

I think we should allow custom configuration, but just let the user see the error messages.

[mickhansen]

Very large component, suggest maybe breaking seperate steps into seperate components?

[nmoskaleva]

4c4a2ca

[mickhansen]

Make it possible to exchange the code again, to trigger the error branch of code replay, this has been requested by @sgryt to show to auditors.

[mickhansen]

@nmoskaleva Looks really freaking awesome so far!
I think adding PAR and client authentication as well would be great. And option to repeat certain steps (which will of course break the flow)

[mickhansen]

This section is incorrect. If it's a signature from Verify then it's not HS256 and it's assymetrically signed.

[nmoskaleva]

Updated in 4c4a2ca

[mickhansen]

Wonder if we should also support private_key_jwt?
Let the user pick

[nmoskaleva]

Added in 84eb278

[mickhansen]

Some of the colors, like the primary buttons, seem different than the rest of the docs - Intentional?

Some code blocks are also double wrapped:

[nmoskaleva]

@mickhansen thanks for reviewing, I'll address the comments and add more features 👍

Some of the colors, like the primary buttons, seem different than the rest of the docs - Intentional?

I used blue intentionally, yes. We had a discussion about using colors other than our brand colors in some cases. But I'll run the design through Trine once it's done.

Some code blocks are also double wrapped:

We have this double wrapping scattered in the docs, e.g. https://docs.idura.app/verify/getting-started/oidc-intro/#example-authorization-url
Moving away from it actually makes sense, thanks for noticing.

[mickhansen]

We have this double wrapping scattered in the docs, e.g. https://docs.idura.app/verify/getting-started/oidc-intro/#example-authorization-url
Moving away from it actually makes sense, thanks for noticing.

@nmoskaleva Oh, that's also a bug :D

[mickhansen]

Suggest perhaps allowing people to pick acr_values? Having the mock one would be beneficial in a few use cases.

[mickhansen]

This description is a bit awkward?
"The authorization server", I assume you mean "Your application server sends a POST request to the token endpoint".

[nmoskaleva]

Absolutely, fixed in 9ffc46a

[mickhansen]

Be cool if this also showed headers (so one can see the client credentials are used), perhaps visualized more in the standard HTTP visualization format.

[mickhansen]

The use of RSA could change, perhaps either detect from the token header or just say "signed".

[nmoskaleva]

Updated (to simply "signed") in 9ffc46a

[nmoskaleva]

acr_values added in 5b27c01

[sgryt]

@nmoskaleva This is absolutely great! I'm very much looking forward to showing it to our auditors next time around :)

Some ideas for future (post-holiday) unhappy-path options below.
I am not sure if all are possible from JS, though, and I'm sorry if I am re-iterating things that are already on the agenda, please consider this to be a just-before-Christmas braindump.

1. Being able to modify the id_token in-place, and an option to re-run the signature validation (to see it break)
2. Offer the option to validate against a "wrong" JWKSet, and also the option to re-run the signature validation (to see it break)
3. Ability to use http instead of https - and then somehow visualize that automatic redirection from HTTP to HTTPS kicks in
4. Showing (select) HTTP response headers (cache-control, CSP, ...maybe others...)
5. For MitID: Tampering with the nonce-cookie to see the flow break (perhaps by replacing it with a correctly encrypted nonce cookie from another flow)
6. SSO: Show that it is supported, and rate-limited, but also that it can be broken by tampering with the cookies.
7. Showing the negotiated TLS version (and being able to downgrade to below TLS 1.2 and see it break)

I don't suppose that browsers will let us tamper with the HTTP version for a request (@mickhansen ?) - but would be great to allow for modification to, say, HTTP/1.0 and then see it break.

[nmoskaleva]

Awesome suggestions @sgryt, I don't think any of them were on the agenda 👍
Will look into it first thing after the holidays.

[fkj]

I don't suppose that browsers will let us tamper with the HTTP version for a request (@mickhansen ?) - but would be great to allow for modification to, say, HTTP/1.0 and then see it break.

@sgryt I'm 99% sure you can't do this in the browser.