search

ory / hydra

The most scalable and customizable OpenID Certified™ OpenID Connect and OAuth Provider on the market. Become an OpenID Connect and OAuth2 Provider over night. Broad support for related RFCs. Written in Go, cloud native, headless, API-first. Available as a service on Ory Network and for self-hosters.
https://www.ory.sh/?utm_source=github&utm_medium=banner&utm_campaign=hydra
Apache License 2.0
15.64k stars 1.5k forks source link

/oauth2/token return id_token with malformed updated_at (scientific notation) #3850

Open kghost opened 1 month ago

kghost commented 1 month ago

Preflight checklist

Ory Network Project

No response

Describe the bug

/oauth2/token returns a json with id_token, after base64 decoding, I got following json:

{
  "amr":["password"],
  "at_hash":"xxx",
  "aud":["xxx"],
  "auth_time":1727351026,
  "email":"xxx@example.com",
  "email_verified":true,
  "exp":1727473364,
  "iat":1727408564,
  "iss":"https://hydra.example.com/",
  "jti":"xxx",
  "preferred_username":"xxx",
  "rat":1727408564,
  "sid":"xxx",
  "sub":"xxx",
  "updated_at":1.705586667e+09
}

Everything is fine except that updated_at is in scientific notation.

And my application kratos returns an error:

json: cannot unmarshal number 1.705586667e+09 into Go struct field Claims.updated_at of type int64

Reproducing the bug

Environment: Oauth2 Provider: Kratos(v1.2.0) + Hydra(v2.2.0) + UI(v0.14.1) Application: Kratos(v1.2.0) + UI(v0.14.1)

I can confirm that /admin/oauth2/auth/requests/consent/accept endpoint got currect claims:

{
  "grant_scope":["openid","email","profile"],
  "grant_access_token_audience":[],
  "session":{
    "access_token":{},
    "id_token":{
      "email":"xxx@example.com",
      "email_verified":true,
      "preferred_username":"xxx",
      "updated_at":1705586667
    }
  }
}

I also checked the database, and confirms that hydra_oauth2_flow table contains correct session_id_token:

select requested_at, session_id_token from hydra_oauth2_flow where client_id = 'xxx' and subject = 'xxx' order by requested_at;
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+
| requested_at        | session_id_token                                                                                                                  |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+
| 2024-09-27 03:53:32 | {"email": "xxx@example.com", "updated_at": 1705586667, "email_verified": true, "preferred_username": "xxx"}    |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+

Relevant log output

No response

Relevant configuration

No response

Version

v2.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

aeneasr commented 1 month ago

Thank you for the report - the problem is likely an incorrect JSON encoder somewhere deep down in fosite. If you have an idea where this could come from, we appreciate help in pinning down the issue!

aeneasr commented 1 month ago

Looks like this is fixed on master: https://github.com/ory/hydra/pull/3819

kghost commented 1 month ago

Thanks @aeneasr I'll be glad to verify it when the fix is released.