LINE OAuth Strategy

[wingyplus]

It would be good to see it support LINE OAuth Provider (https://developers.line.biz/en/services/line-login/). I can open PR if you're all agree.

[danschultzer]

That would be great!

Looks like they support OIDC which is very easy to add an integration for. You can take a look at the Azure AD integration (ignoring the tenant logic), and the docs for OIDC base integration:

https://github.com/pow-auth/assent/blob/master/lib/assent/strategies/azure_ad.ex
https://github.com/pow-auth/assent/blob/master/lib/assent/strategies/oidc/base.ex

For the tests I usually copy values from the provider documentation: https://github.com/pow-auth/assent/blob/master/test/assent/strategies/azure_ad_test.exs#L6

[wingyplus]

@danschultzer Thanks for your inform. I'll read and open PR today. :)

[wingyplus]

@danschultzer LINE Login use HS256 for ID Token. How do we change alg to use HS256 instead of RS256?

@danschultzer since LINE Login use alg HS256 for ID Token. After I try passing params to the callback I received error like this:

{:error, "`alg` in ID Token can only be \"RS256\""}

After read and inspecting code. I found that error come from OIDC.validate_id_token/2 in step verify_alg/2 after passing verify_jwt/3 which's returns alg HS256 in the header. Is it should be check HS256 in verify_alg/2 or need another option to make it work on HS256?

[wingyplus]

It's work fine if we set id_token_signed_response_alg in openid_configuration but it's requires another configuration to make it works. This is sample configuration that it's works for me:

  def default_config(_config) do
    [
      site: "https://access.line.me",
      authorization_params: [scope: "email profile", response_type: "code"],
      openid_configuration: %{
        "id_token_signed_response_alg" => ["HS256"],
        "issuer" => "https://access.line.me",
        "authorization_endpoint" => "https://access.line.me/oauth2/v2.1/authorize",
        "token_endpoint" => "https://api.line.me/oauth2/v2.1/token",
        "jwks_uri" => "https://api.line.me/oauth2/v2.1/certs"
      }
    ]
  end

I need to set this manually because well known openid configuration doesn't returned id_token_signed_response_alg:

$ curl https://access.line.me/.well-known/openid-configuration
{
  "issuer": "https://access.line.me",
  "authorization_endpoint": "https://access.line.me/oauth2/v2.1/authorize",
  "token_endpoint": "https://api.line.me/oauth2/v2.1/token",
  "jwks_uri": "https://api.line.me/oauth2/v2.1/certs",
  "response_types_supported": [ "code" ],
  "subject_types_supported": [ "pairwise" ],
  "id_token_signing_alg_values_supported": [ "ES256" ]
}

Do you have any suggestion?

[danschultzer]

Yeah, found out the handling of the response alg was incorrect. It was a bit difficult to understand from the RFC:

7. The alg value SHOULD be the default of RS256 or the algorithm sent by the Client in the id_token_signed_response_alg parameter during Registration.

But I looked at other OIDC implementations, and setting it as a configuration option seems to be the way to do it. #59 handles that, and I've refactored #58 to use the new configuration option so we don't need to set the open id config manually. I'll get a new release out shortly!