#339 OpenID Connect bad serialize `amr` claim in token.
Opened 4 years ago by astepano. Modified 4 years ago

Hello,

We cannot pair google-oauth-java-client with ipsilon.
Error is in:

https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/openidc/auth.py#_506

            id_token['amr'] = json.dumps([])

You can see that amr claim becomes string. While it must be:

JSON array of strings that are identifiers for authentication methods used in the authentication. https://openid.net/specs/openid-connect-core-1_0-17.html

The token that comes from Ipsilon is:

{
  "acr": "0",
  "amr": "[]",   <-------------------- bug!
  "aud": "osci-jenkins",
  "auth_time": 1592478255,
  "azp": "osci-jenkins",
  "c_hash": "p-HhSZTs2pnXe9huOl6XGA",
  "exp": 1592479007,
  "iat": 1592478407,
  "iss": "https://id.fedoraproject.org/openidc/",
  "nonce": null,
  "sub": "fe21ec53bb833f35453370804c211f71e743be37f9bda3a6bd80e72161b37cba"
}

In json it is string, while by OpenID standard it must be array.

@puiterwijk hello, could you please fix this? And deploy to prod fixed version?

The bug block fedora-ci osci team to deploy pipelines. Thank you!


I think this is what @puiterwijk was fixing in f49a4f6. I can make a new snapshot release for Fedora if that'd help?

Metadata Update from @ngompa:
- Custom field component adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None

4 years ago

@ngompa it is completely different issue. They are unrelated. This issue is about double serialization of amr claim.

D'oh, I didn't read carefully enough. This is what happens when I read issues just when I wake up. :wink:

Metadata Update from @ngompa:
- Custom field component adjusted to OpenID Connect (was: None)
- Custom field type adjusted to defect (was: None)
- Custom field version adjusted to Development (was: None)

4 years ago

@ngompa could you please merge one of them and deploy to prod :-D
I am going to close bugz that I opened for library + plugin.

https://github.com/googleapis/google-oauth-java-client/issues/471
https://github.com/jenkinsci/oic-auth-plugin/issues/96

Please deploy to fedora infra :-D This will unblock us :-D

@astepano I do not have the power to deploy updated versions of Ipsilon, but I can build updated packages for it for Fedora Infra folks to use.

Log in to comment on this ticket.

Metadata
Related Pull Requests
  • #340 Merged 4 years ago