Hello,
We cannot pair google-oauth-java-client with ipsilon. Error is in:
https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/openidc/auth.py#_506
id_token['amr'] = json.dumps([])
You can see that amr claim becomes string. While it must be:
amr
JSON array of strings that are identifiers for authentication methods used in the authentication. https://openid.net/specs/openid-connect-core-1_0-17.html
JSON array of strings that are identifiers for authentication methods used in the authentication.
The token that comes from Ipsilon is:
{ "acr": "0", "amr": "[]", <-------------------- bug! "aud": "osci-jenkins", "auth_time": 1592478255, "azp": "osci-jenkins", "c_hash": "p-HhSZTs2pnXe9huOl6XGA", "exp": 1592479007, "iat": 1592478407, "iss": "https://id.fedoraproject.org/openidc/", "nonce": null, "sub": "fe21ec53bb833f35453370804c211f71e743be37f9bda3a6bd80e72161b37cba" }
In json it is string, while by OpenID standard it must be array.
@puiterwijk hello, could you please fix this? And deploy to prod fixed version?
The bug block fedora-ci osci team to deploy pipelines. Thank you!
I think this is what @puiterwijk was fixing in f49a4f6. I can make a new snapshot release for Fedora if that'd help?
Metadata Update from @ngompa: - Custom field component adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
@ngompa it is completely different issue. They are unrelated. This issue is about double serialization of amr claim.
D'oh, I didn't read carefully enough. This is what happens when I read issues just when I wake up. :wink:
Metadata Update from @ngompa: - Custom field component adjusted to OpenID Connect (was: None) - Custom field type adjusted to defect (was: None) - Custom field version adjusted to Development (was: None)
Should be fixed by: https://pagure.io/ipsilon/pull-request/341
Or there is the same PR from @ngompa https://pagure.io/ipsilon/pull-request/340
@ngompa could you please merge one of them and deploy to prod :-D I am going to close bugz that I opened for library + plugin.
https://github.com/googleapis/google-oauth-java-client/issues/471 https://github.com/jenkinsci/oic-auth-plugin/issues/96
Please deploy to fedora infra :-D This will unblock us :-D
@astepano I do not have the power to deploy updated versions of Ipsilon, but I can build updated packages for it for Fedora Infra folks to use.
@ngompa please build
Log in to comment on this ticket.