Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update the Pro Santé Connect provider to make the client certificate setting required #2172

Open
1 task done
kevinchalet opened this issue Sep 2, 2024 · 2 comments
Open
1 task done

Update the Pro Santé Connect provider to make the client certificate setting required #2172

kevinchalet opened this issue Sep 2, 2024 · 2 comments
Assignees
@kevinchalet
Labels
enhancement web providers

Comments

@kevinchalet
Copy link
Member

Confirm you've already contributed to this project or that you sponsor it

  • I confirm I'm a sponsor or a contributor

Describe the solution you'd like

Using mTLS is now mandatory for the sandbox environment and will be required for the production environment in late 2024, as indicated in https://industriels.esante.gouv.fr/produits-et-services/pro-sante-connect/documentation-technique. Since it will stop working with a client certificate after this date, we'll likely want to make it a mandatory setting in OpenIddict.

Additional context

No response
@kevinchalet kevinchalet self-assigned this Sep 2, 2024
@kevinchalet kevinchalet mentioned this issue Sep 19, 2024
Closed
1 task
@kevinchalet kevinchalet changed the title Update the Pro Santé Connect provider to make the ClientCertificate setting required Update the Pro Santé Connect provider to make the client certificate setting required Sep 19, 2024
@kevinchalet
Copy link
Member Author

Adding mTLS support to the client stack is tracked by #2186.

@kevinchalet kevinchalet added this to the 6.0.0-preview1 milestone Sep 19, 2024
@kevinchalet
Copy link
Member Author

mTLS is now fully supported by the client stack and was successfully tested against Keycloak.

Note: when making the switch, we'll also need to tweak this handler to remove the client_secret_* methods from the supported client authentication methods list if PSC doesn't update their configuration document to reflect this change:

openiddict-core/src/OpenIddict.Client.WebIntegration/OpenIddictClientWebIntegrationHandlers.Discovery.cs

Lines 341 to 357 in 9f613b1

// Pro Santé Connect lists private_key_jwt as a supported client authentication method but
// only supports client_secret_basic/client_secret_post and tls_client_auth and plans to
// remove secret-based authentication support in late 2024 to force clients to use mTLS.
else if (context.Registration.ProviderType is ProviderTypes.ProSantéConnect)
{
context.Configuration.DeviceAuthorizationEndpointAuthMethodsSupported.Remove(
ClientAuthenticationMethods.PrivateKeyJwt);
context.Configuration.IntrospectionEndpointAuthMethodsSupported.Remove(
ClientAuthenticationMethods.PrivateKeyJwt);
context.Configuration.RevocationEndpointAuthMethodsSupported.Remove(
ClientAuthenticationMethods.PrivateKeyJwt);
context.Configuration.TokenEndpointAuthMethodsSupported.Remove(
ClientAuthenticationMethods.PrivateKeyJwt);
}

@kevinchalet kevinchalet removed this from the 6.0.0-preview2 milestone Oct 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kevinchalet kevinchalet

Labels
enhancement web providers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kevinchalet