search

markbates / goth

Package goth provides a simple, clean, and idiomatic way to write authentication packages for Go web applications.
https://blog.gobuffalo.io/goth-needs-a-new-maintainer-626cd47ca37b
MIT License
5.2k stars 566 forks source link

Panic using openidConnect provider #551

Closed pinpox closed 6 days ago

pinpox commented 2 months ago

Using the example I get a panic from the openID connect provider:

2024/04/23 16:12:36 listening on localhost:3000
2024/04/23 16:12:46 http: panic serving [::1]:54814: interface conversion: interface {} is nil, not string
goroutine 23 [running]:
net/http.(*conn).serve.func1()
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/net/http/server.go:1898 +0xbe
panic({0x8d0540?, 0xc0004223c0?})
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/runtime/panic.go:770 +0x132
github.com/markbates/goth/providers/openidConnect.(*Session).Authorize(0xc00038c4e0, {0xa247e0?, 0xc000182ea0}, {0xa1cf60, 0xc0002c45a0})
        /home/pinpox/.go/pkg/mod/github.com/markbates/goth@v1.79.0/providers/openidConnect/session.go:60 +0x4d0
github.com/markbates/goth/gothic.init.func3({_, _}, _)
        /home/pinpox/.go/pkg/mod/github.com/markbates/goth@v1.79.0/gothic/gothic.go:204 +0x3e9
main.main.func1({0xa1f680, 0xc00038e000}, 0xffffffffffffffff?)
        /home/pinpox/code/github.com/pinpox/oidc-htmx-template/main.go:289 +0x5f
net/http.HandlerFunc.ServeHTTP(0xc0001826c0?, {0xa1f680?, 0xc00038e000?}, 0xc000100808?)
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/net/http/server.go:2166 +0x29
github.com/gorilla/pat.(*Router).ServeHTTP(0xc000308780, {0xa1f680, 0xc00038e000}, 0xc0001826c0)
        /home/pinpox/.go/pkg/mod/github.com/gorilla/pat@v1.0.2/pat.go:92 +0x28e
net/http.serverHandler.ServeHTTP({0xc000276ab0?}, {0xa1f680?, 0xc00038e000?}, 0x6?)
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/net/http/server.go:3137 +0x8e
net/http.(*conn).serve(0xc00026e510, {0xa20b28, 0xc0002769c0})
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/net/http/server.go:2039 +0x5e8
created by net/http.(*Server).Serve in goroutine 1
        /nix/store/mzg3cka0bbr5jq96ysymwziw74fnk22m-go-1.22.1/share/go/src/net/http/server.go:3285 +0x4b4

I'm have set the OPENID_CONNECT_KEY, OPENID_CONNECT_SECRET and OPENID_CONNECT_DISCOVERY_URL to appropiate values. The discovery url returns this json:

{
    "issuer": "https://git.0cx.de/",
    "authorization_endpoint": "https://git.0cx.de/login/oauth/authorize",
    "token_endpoint": "https://git.0cx.de/login/oauth/access_token",
    "jwks_uri": "https://git.0cx.de/login/oauth/keys",
    "userinfo_endpoint": "https://git.0cx.de/login/oauth/userinfo",
    "introspection_endpoint": "https://git.0cx.de/login/oauth/introspect",
    "response_types_supported": [
        "code",
        "id_token"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "subject_types_supported": [
        "public"
    ],
    "scopes_supported": [
        "openid",
        "profile",
        "email",
        "groups"
    ],
    "claims_supported": [
        "aud",
        "exp",
        "iat",
        "iss",
        "sub",
        "name",
        "preferred_username",
        "profile",
        "picture",
        "website",
        "locale",
        "updated_at",
        "email",
        "email_verified",
        "groups"
    ],
    "code_challenge_methods_supported": [
        "plain",
        "S256"
    ],
    "grant_types_supported": [
        "authorization_code",
        "refresh_token"
    ]
}

Looking at the code, the panic seems to come from this cast: https://github.com/markbates/goth/blob/f4685f5f6edf65de920b6c6c03fc1ffabcb88e68/providers/openidConnect/session.go#L60

Let me know if I'm doing anything wrong, this is a bug or you need any additional information for debugging