It appears that apple and paypal have similar issues with using string values as well. This is nonconformant to the OpenID spec, but it's annoying enough to want work around.
How to Reproduce
Steps to reproduce the behavior:
Deploy AuthService using Cognito as the OIDC IdP.
Start the auth code sign in.
Sign in to Cognito.
Return to AuthService authorization callback, which will error while retrieving you user info.
Expected behavior
Sign in should work and retrieve your email.
Config Files
All defaults except for the mandatory OAuth client id etc.
Logs
level=error msg="Not able to fetch userinfo: oidc: failed to decode userinfo: json: cannot unmarshal string into Go struct field UserInfo.email_verified of type bool"
@Deadleg thanks for reporting this!
It's very interesting to see that AWS, Paypal and Apple have bugs in their OIDC implementation.
I would like to ask:
Do you know if there is any issue in an AWS repo tracking this bug?
Do you have any information about how other OIDC clients in the wild handle this special case? This is essentially going off-spec.
Is this a bug report or feature request?
Describe the bug When using AWS Cognito the email_verified field is a string
"true"
instead of a boolean, causing an unmarshal error in https://github.com/arrikto/oidc-authservice/blob/6f251f19f352b6de70085a718c807eeb6d47b3b5/oidc.go#L81.It appears that apple and paypal have similar issues with using string values as well. This is nonconformant to the OpenID spec, but it's annoying enough to want work around.
How to Reproduce Steps to reproduce the behavior:
Expected behavior Sign in should work and retrieve your email.
Config Files All defaults except for the mandatory OAuth client id etc.
Logs
Environment:
fef11c3
Additional context This patch fixes the issue: