Ciao Mat!

The RPs must be inserted in the DB, as Ivan pointed out. See these examples in code:
https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/blob/main/tests/test_oidcop.py#L466

the endpoints are configured in the the idpy-oidc configuration, like this
https://github.com/UniversitaDellaCalabria/SATOSA-oidcop/blob/main/example/oidcop_frontend.yaml#L74

according to the error of the non existent endpoint it seems as the openid provider frontend was not configured in the proxy.

Let'c continue this chat on slack, we'll find a solution even if we can do something in pair and then we'll put some words in the documentation for the people if you agree



Il giorno lun 8 gen 2024 alle ore 20:51 Matthew X. Economou via satosa-users <satosa-users@lists.sunet.se> ha scritto:
I'm trying to test my SATOSA OIDC OP using the OpenID Connect
Playground, but it looks like the client isn't registering itself with
SATOSA properly.  I don't know how to fix this and would be grateful for
any help!

I have installed satosa-oidcop
(https://github.com/UniversitaDellaCalabria/SATOSA-oidcop) and
configured it to use Amazon DocumentDB (MongoDB-compatible).

On https://openidconnect.net/:
- I select the "OpenID Connect + OAuth2" mode (default and only option).
- I click "Configuration".
- I select the "Custom" server template.
- I enter the discovery document URL generated by SATOSA
($BASE_URL/.well-known/openid-configuration), click "Use Discovery
Document", and click "Save".

The configuration tool sets the authorization token endpoint to
$BASE_URL/Saml2/OIDC/authorization, the token endpoint to
$BASE_URL/OIDC/token, and the token keys endpoint to
$BASE_URL/OIDC/jwks.  This looks correct.

The configuration tool tells me to set
"https://openidconnect.net/callback" as an allowed callback within my
application, and it shows me its OIDC Client ID, OIDC client secret,
scopes (defaults to "openid profile email phone address"), and optional
audience (blank).

When I click "Start" to begin the OIDC authentication process, I get the
following error:

https://openidconnect.net/callback?error=invalid_request&error_message=Response+type+is+not+registered&state=...

SATOSA logs the following at client configuration time:

```
[DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:..1] Routing path:
.well-known/openid-configuration
[DEBUG] [satosa.routing.endpoint_routing] [urn:uuid:..1] Unknown backend
.well-known
[DEBUG] [satosa.routing._find_registered_endpoint_for_module]
[urn:uuid:..1] Found registered endpoint: module name:'OIDC', endpoint:
.well-known/openid-configuration

Then it logs the following when I start the OIDC request process:

```
[ERROR]
[pyop.request_validator.response_type_is_in_registered_response_types]
client metadata is missing response_types
[ERROR] [satosa.frontends.openid_connect._handle_authn_request]
[urn:uuid:..2] Error in authn req: Response type is not registered
```

When I look at DocumentDB, I see the "satosa" database and accompanying
collections, but the clients collection appears to be empty:

```
rs0:PRIMARY> show dbs
sample_database  0.000GB
satosa           0.000GB
rs0:PRIMARY> use satosa
switched to db satosa
rs0:PRIMARY> show collections
access_tokens
authz_codes
clients
refresh_tokens
subject_identifiers
rs0:PRIMARY> db.clients.find()
rs0:PRIMARY>
```

What am I missing?

--
"The reason that ed is the standard editor is to remind you that
things could be worse, and once were." -- Tim Lavoie in comp.lang.lisp
_______________________________________________
satosa-users mailing list -- satosa-users@lists.sunet.se
To unsubscribe send an email to satosa-users-leave@lists.sunet.se


--
____________________
Giuseppe De Marco
Centro ICT d'Ateneo
Università della Calabria
87036 Rende (CS) - Italy
Phone: +39 0984 496961
e-mail: giuseppe.demarco@unical.it