I’m looking to improve our security posture, and part of that means that we need to avoid using secret credentials whenever we can.
Unfortunately the OIDC plugin required a client secret credential to hit the /userinfo endpoint, and I couldn’t set up my forum with it enabled.
Fortunately, the OIDC specification is actually defined in a way that doesn’t require the use of any secret tokens.
If we stick to the id_token flow, the IdP will send us all of the information we need to authenticate a user without having to reach back out to the IdP.
This is secure because the redirect is configured in the IdP, and we don’t have to worry about the bearer token being forwarded to the wrong destination.
I went ahead and created a patch for the OIDC plugin to support the id_token flow and submitted a pull request here:
The PR isn’t quite complete since it still needs unit tests, but it’s pretty much there and I’ve confirmed that this works properly with Azure AD (Entra ID).
For ref, here is the documentation for the OIDC plugin: