OpenID compliance test uses a draft spec

[elythh]

Describe the bug

The OpenID validation function [1] is checking whether end_session_endpoint is part of the OpenID configuration. However, this endpoint is not part of the final specification [2] but rather a draft one [3].

Since providers might not be configured to specify that endpoint while still being compliant, we should not base the validation on it.

[1]

rabbitmq-server/deps/rabbitmq_management/priv/www/js/oidc-oauth/helper.js

Line 268 in c57ece8

if (typeof payload.end_session_endpoint != 'string') {

[2] https://openid.net/specs/openid-connect-session-1_0.html
[3] https://openid.net/specs/openid-connect-session-1_0-17.html

Related PR #10012 ###

Reproduction steps

1. Configure RabbitMQ with Auth0 as provider
2. Try to access the management UI

Expected behavior

The OpenID compliance should still be validated even without logout endpoint.

Additional context

If anyone is facing a similar issue while using Auth0, you can still enable that endpoint.
For more info, see here

[michaelklishin]

@elythh our OAuth 2 and OpenID Connect implementations target the needs of paying users. There are five example configurations that use very popular identity provider tools, including Auth0.

Also, if you want the core team to spend any time on your proposal, it must be a detailed explanation of the alternatives and their downsides, not a three sentence long problem definition. "Configure RabbitMQ with Auth0 as provider" is not a reproduction step, there are many many variables involved in any practical OAuth 2-enabled setup.

Thanks for providing [1], it can be added to the docs for Auth0.

1. https://auth0.com/docs/authenticate/login/logout/log-users-out-of-auth0#enable-endpoint-discovery

[elythh]

Oh sorry about the duplicate issue and the mistake, I didn't get notified about this discussion.

[MarcialRosales]

@elythh This docker image pivotalrabbitmq/rabbitmq:make-end-session-endpoint-optional (it will be released as 3.13.2) makes the claim end_session_endpoint optional. If you can try it out, please let us know that it works for you.

[elythh]

Hello @MarcialRosales. Thank you for the notice ! That should actually fix the issue for Auth0 users.
In my case, I activated the endpoint discovery in Auth0 so I won't be able to check whether this would've fixed it for me, sorry.

[MarcialRosales]

Thanks in any case.

[michaelklishin]

FTR, we have encountered a similar complaint from a paying user and the issue to watch is #11067 (and as can be seen above, we already have a spike by @MarcialRosales).

[michaelklishin]

And rabbitmq/rabbitmq-website#1893 is the docs part.