https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4862507#M2258 <P>OK Janos, I will do so.</P> Mon, 26 Jun 2023 13:43:04 GMT Lajos Demeter 2023-06-26T13:43:04Z https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4861591#M2250 <P>I am doing some testing with the Webex SSO using OpenID Connect (OIDC), first for login only, in the "openid email" scope, and found some items which are not fully documented.</P><P><STRONG>My questions the OIDC based SSO behavior of Webex:</STRONG><BR />- could you please confirm that the "JWKS endpoint" is really not used, and if yes, make this mandatory field optional?<BR />- could you please confirm that the "User info endpoint" is really not used, and make this mandatory field optional?<BR />- could you please confirm that the returned "access_token" within the OIDC token is not used, so may be empty?<BR />- could you please confirm that the only the payload part of the returned "id_token" within the OIDC token is used, the other parts can be arbitrary values?</P><P>Or am I on a completely wrong path?</P><P><U><STRONG>Background</STRONG></U></P><P>In configuring the OIDC IdP details in Control Hub under "Manually add endpoint information", the CH requests mandatory URLs to the "JWKS endpoint" and "User info endpoint".</P><P>According to the IDC standard <A href="https://openid.net/specs/openid-connect-discovery-1_0.html at point 3" target="_self">HERE</A>, the JWKS endpoint is REQUIRED and returns key(s) to validate the id_token signature with. The User info endpoint is optional, and serves requests to user details.</P><P>In my understanding, the IDP should POST something similar to the Webex idbroker:<BR /><FONT face="courier new,courier">{</FONT><BR /><FONT face="courier new,courier">"token_type": "Bearer",</FONT><BR /><FONT face="courier new,courier">"expires_in": 3600,</FONT><BR /><FONT face="courier new,courier">"access_token": "...",</FONT><BR /><FONT face="courier new,courier">"scope": "email openid",</FONT><BR /><FONT face="courier new,courier">"id_token": "..."</FONT><BR /><FONT face="courier new,courier">}</FONT><BR />and in my understanding the Webex side MUST verify the signature of the id_token using the key(s) downloaded from the "JWKS endpoint", and MAY ask for user details from the "User info endpoint".</P><P>However, at least in my tests, it looks like Webex does NOT verify the signature of the id_token, (does not even turn to the "JWKS endpoint" to get the verification key), and ignores the mandatory "iss" (issuer) param in the "id_token" JWT header. It does not turn to the "User info endpoint" either.<BR />In spite of all these symptoms, the authentication is successful.&nbsp; I found no docs about the OIDC behavior of Webex, while the SAML behavior is quite well documented.</P><P>Thanks in advance for your clarification.</P> Sat, 24 Jun 2023 11:21:14 GMT https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4861591#M2250 Lajos Demeter 2023-06-24T11:21:14Z https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4862257#M2254 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1290320">@Lajos Demeter</a>&nbsp;would you mind opening a ticket for this please - <A href="mailto:devsupport@webex.com" target="_blank">devsupport@webex.com</A>&nbsp;? Please also include the payloads of your testings that you mentioned above, so that we can cross-verify them internally. Thanks</P> Mon, 26 Jun 2023 09:55:24 GMT https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4862257#M2254 Janos Benyovszki 2023-06-26T09:55:24Z https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4862507#M2258 <P>OK Janos, I will do so.</P> Mon, 26 Jun 2023 13:43:04 GMT https://community.cisco.com/t5/webex-for-developers/webex-sso-with-openid-connect/m-p/4862507#M2258 Lajos Demeter 2023-06-26T13:43:04Z