aeneasr
commented
3 months ago There was this PR: https://github.com/ory/hydra/pull/3722
Is that the same issue, and if yes, #3722 seems to use the number decoding in more places.
Closed alnr closed 3 months ago
aeneasr
commented
3 months ago There was this PR: https://github.com/ory/hydra/pull/3722
Is that the same issue, and if yes, #3722 seems to use the number decoding in more places.
aeneasr
commented
3 months ago Also, are there any implications for backwards compatibility with prior consent sessions?
alnr
commented
3 months ago Yes I did see https://github.com/ory/hydra/pull/3722. As the author discovered, using json.Number does not fix this issue. The underlying problem is described here: https://github.com/go-jose/go-jose/issues/144
I don't think this will cause any regressions. This change mostly or exclusively impacts how numbers are serialized into the final token, it doesn't really change any underlying data. While we're handling the custom claims in hydra, we serialize+deserialize them to/from JSON a couple of times. Each time, any "type" information about whether the number is a float or integer is lost since this distinction doesn't exist in JSON.
Adding custom claims with numerical types (think JavaScript Number) previously did not round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims would end up as floating points in exponential notation in the final token. That, in turn, confused or broke downstream consumers of the token, including Kratos.
Ref https://github.com/go-jose/go-jose/issues/144