search

ironmansoftware / powershell-universal

Issue tracker for PowerShell Universal
https://powershelluniversal.com
36 stars 4 forks source link

Crash when sending long attributes in OpenID Connect authentication #2689

Closed DanielMalmgren closed 2 months ago

DanielMalmgren commented 1 year ago

Version

4.0.12

Severity

Low

Steps to Reproduce

In an OpenID Connect federation, set up the identity provider so that it sends a very long attribute/claim in the login flow. In my case it's an attribute named "groups" which contains all my AD groups, it's a string that is above 2000 characters.

I also mentioned this in the forums

Expected behavior

Psu should accept the attribute and use it. For the groups attribute, it should be used for authorization.

Actual behavior

Complete crash.

Pasting what I get in the log below:

2023-09-13 11:32:46.559 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/ - -
2023-09-13 11:32:46.559 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:46.559 +02:00 [VRB] This request accepts compression.
2023-09-13 11:32:46.559 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'SessionMiddleware').
2023-09-13 11:32:46.559 +02:00 [DBG] The request path / does not match a supported file type
2023-09-13 11:32:46.559 +02:00 [DBG] The request path  does not match the path filter
2023-09-13 11:32:46.559 +02:00 [DBG] Request did not match any endpoints
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/ - - - 302 0 - 5.1100ms2023-09-13 11:32:57.788 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - -
2023-09-13 11:32:57.788 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:57.789 +02:00 [VRB] Performing unprotect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:57.789 +02:00 [ERR] Connection id "0HMTJCELR3K2I", Request id "0HMTJCELR3K2I:00000003": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'server_error', error_description: 'the server encountered an unexpected error', error_uri: 'error_uri is null'.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2023-09-13 11:32:57.790 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - - - 500 0 - 1.4839ms

Additional Environment data

OS: Windows Server 2019 Datacenter

Visuals

No response

adamdriscoll commented 1 year ago

This issue has been mentioned on Ironman Software Forums. There might be relevant details there:

https://forums.ironmansoftware.com/t/problem-with-groups-in-oauth2-attribute/9706/2

adamdriscoll commented 2 months ago

This is a configuration issue. You can limit the number of groups sent in the claims via Entra ID app registration configuration. I've updated the docs here: https://docs.powershelluniversal.com/config/security/openid-connect#group-overages