search

OpenConext / OpenConext-oidcng

OpenID Connect gateway - The Next Generation
3 stars 5 forks source link

claims parameter in signed object fails #206

Open phavekes opened 1 month ago

phavekes commented 1 month ago

This issue is imported from pivotal - Originaly created at Sep 15, 2022 by Bart Geesink

You can use a signed JWT to encode your authorization request. If I add the claims parameter, it will cause an error. See attachment for the stacktrace.

The decoded jwt used looks like this:

{ "iss": "oidctest", "aud": "https://connect.test.surfconext.nl", "claims": { "id_token": { "email": null } }, "response_type": "code", "scope": "openid", "client_id": "oidctest", "state": "O5pZvW_cPJjPCZm87eHPqplnL1A", "redirect_uri": "https://spdtest.surfconext.nl/oidc/redirect", "nonce": "tAw5hSn8HxKahbAFlS7J9kOikbnz2I21_gt1NL1KrAk" }

phavekes commented 1 month ago 
@bartgeesink You forgot to attach the stack-trace. When I try this with the playground it works. The difference being that the claims field is a string with escaped JSON. I think this is spec mandatory (but I\'m not sure).

{
  "header": {
    "alg": "RS256",
    "kid": "play_key_id",
    "typ": "JWT"
  },
  "state": "SIGNED",
  "payload": {
    "aud": "audience",
    "claims": "{\"id_token\":{\"email\":null}}",
    "client_id": "playground_client",
    "exp": 1663247285,
    "iat": 1663243685,
    "iss": "playground_client",
    "jti": "d2b8a21c-7a2c-451c-883f-ec8f74acc486",
    "nbf": 1663243685,
    "nonce": "example",
    "redirect_uri": "https://oidc-playground.test2.surfconext.nl/redirect",
    "response_mode": "query",
    "response_type": "code",
    "scope": "openid",
    "state": "example",
    "sub": "playground_client"
  }
}
``` (Okke Harsta - Sep 15, 2022)
phavekes commented 1 month ago

The example shown in paragraph 6.1 of the spec shows the non escaped json. The spec itself is not very clear, but other implementations do not escape.

I\'ve attached the error now (Bart Geesink - Sep 15, 2022)