search

arrikto / oidc-authservice

This is a fork/refactoring of the ajmyyra/ambassador-auth-oidc project
MIT License
87 stars 65 forks source link

User info fails to unmarshal when email_verified is a string #63

Closed Deadleg closed 2 years ago

Deadleg commented 3 years ago

Is this a bug report or feature request?

Describe the bug When using AWS Cognito the email_verified field is a string "true" instead of a boolean, causing an unmarshal error in https://github.com/arrikto/oidc-authservice/blob/6f251f19f352b6de70085a718c807eeb6d47b3b5/oidc.go#L81.

It appears that apple and paypal have similar issues with using string values as well. This is nonconformant to the OpenID spec, but it's annoying enough to want work around.

How to Reproduce Steps to reproduce the behavior:

  1. Deploy AuthService using Cognito as the OIDC IdP.
  2. Start the auth code sign in.
  3. Sign in to Cognito.
  4. Return to AuthService authorization callback, which will error while retrieving you user info.

Expected behavior Sign in should work and retrieve your email.

Config Files All defaults except for the mandatory OAuth client id etc.

Logs

level=error msg="Not able to fetch userinfo: oidc: failed to decode userinfo: json: cannot unmarshal string into Go struct field UserInfo.email_verified of type bool"

Environment:

Additional context This patch fixes the issue:

diff --git a/oidc.go b/oidc.go
index 3147706..586d0a4 100644
--- a/oidc.go
+++ b/oidc.go
@@ -16,7 +16,7 @@ type UserInfo struct {
        Subject       string `json:"sub"`
        Profile       string `json:"profile"`
        Email         string `json:"email"`
-       EmailVerified bool   `json:"email_verified"`
+       EmailVerified bool   `json:"email_verified,string"`

        RawClaims []byte
 }
yanniszark commented 3 years ago

@Deadleg thanks for reporting this! It's very interesting to see that AWS, Paypal and Apple have bugs in their OIDC implementation. I would like to ask: