Claims query parameter with Google authentication breaks login

[OskarsPakers]

I have configured OIDC provider through configuration with Google.

Discovery endpoint: https://accounts.google.com/.well-known/openid-configuration Scope: openid email profile User ID mapping: email

When logging in, user gets redirected to authentication endpoint https://accounts.google.com/o/oauth2/v2/auth?client_id=... and query parameter claims is appended claims: {"id_token":{"email":{"essential":true},"name":null,"quota":null,"groups":null},"userinfo":{"email":{"essential":true},"name":null,"quota":null,"groups":null}} which results in error page on Google login

Invalid parameter value for claims: Invalid claims: claims must have a single object value "id_token" [Learn more about this error](https://developers.google.com/identity/protocols/oauth2)
If you are a developer of ... , see [error details](https://accounts.google.com/).
Error 400: invalid_request

If claims parameter is removed, then authentication goes through. Should there be a parameter to avoid claims parameter to be passed?

[julien-nc]

Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of apps/user_oidc/lib/Controller/LoginController.php?

https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281

Google's response says it would work with just having the id_token attribute in the claim GET param.

[jjwinters]

Thanks for reporting this. Could you try to delete lines 263->268, 273 and 281 of apps/user_oidc/lib/Controller/LoginController.php?

https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L263-L268 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L273 https://github.com/nextcloud/user_oidc/blob/main/lib/Controller/LoginController.php#L281

Google's response says it would work with just having the id_token attribute in the claim GET param.

I just tracked down this exact same issue. I can confirm that it works with just the id_token in claims, but not with userinfo.

Removing those lines you specify in LoginController.php fixes it!

(side note all my google searching yielded nothing, I did not find this issue until I tracked down this specific repo and searched for "userinfo" after determining it was the difference in the request)