Can internal response attributes have emptyvalues?

[jkakavas]

Hi,

I've come across a setup/configuration where we have internal_response attributes which value is an empty list. Something like :

{'edupersonorcid': [],
 'eppn': ['ikakavas@myscope.gr'],
 'surname': ['Kakavas']}

The attributes get their value from the ldap_attribute_store microservice (in this example edupersonorcid has no values in LDAP ) and the frontend that breaks because of this is the openid_connect plugin, specifically https://github.com/SUNET/SATOSA/blob/d20500117c22f891ca44f7808a1ed6fab70738d7/src/satosa/frontends/openid_connect.py#L118

which raises IndexError: list index out of range as expected.

So the question is :

• Do we make sure that we don't end up with empty lists in our internal_attributes ( i..e. fix this in the ldap attribute microservice ) or
• Do we make sure our frontends are able to handle this ? I'd guess that the saml2 frontend is already more lenient as I know @skoranda has been using the ldap_attribute_store microservice in a saml/saml setup for some time now.

[skoranda]

I think it would be good to fix it in both places. I have the ldap_attribute_store.py code open now and can easily fix this.

[jkakavas]

That'd be great Scott, thanks!