The `client_secret_post` authentication method will be used when the discovery document defines `token_endpoint_auth_methods_supported`, includes `client_secret_post`, and does not include the default `client_secret_basic`.
A new (optional) site setting is introduced which allows `claims` to be explicitly requested.
Co-authored-by: David Taylor <david@taylorhq.com>
Previously an error loading the discovery document would raise an exception. Now, it will display an error to the user, and log the error for site admins to view at `/logs`. Specs are updated and improved accordingly.
This moves the discovery document fetching out of OmniAuth and into Discourse. This makes it available for the upcoming rp-initiated-logout support.
The JWT specification (https://tools.ietf.org/html/rfc7519#page-10) does not require verification of this claim. If the issuer wishes to restrict the validity of the token, they can use the 'nbf' (not before) claim which is intended for this purpose. Discourse will verify the `nbf` claim if it is present.
In practice, clock skew between identity providers and Discourse was causing JWT validity errors to be raised.
This makes use of Faraday middleware to log precise details about all requests made by the OAuth2 gem. This should make it easier to debug configuration issues
The most common use case is when you want the IDP to start with a specific screen (e.g. signup, rather than sign in). This change has no effect by default, you must add the parameter names to the openid_connect_authorize_parameters site setting.
David Taylor
Lucas Leadbetter
buildthomas
Guo Xiang Tan