search

ramosbugs / openidconnect-rs

OpenID Connect Library for Rust
MIT License
427 stars 103 forks source link

Subject issuer can cause parse failure #110

Closed davidv1992 closed 1 year ago

davidv1992 commented 1 year ago

I am requesting a token id that contains the subject_issuer field. However, when executing the request with client.exchange_code, I get the following parse error back:

Parse(Error { path: Path { segments: [] }, original: Error("Failed to parse payload JSON: Error(\"invalid type: string \\\"simulator\\\", expected a sequence\", line: 1, column: 273)", line: 1, column: 1646) }, [123, 34, 97, 99, 99, 101, 115, 115, 95, 116, 111, 107, 101, 110, 34, 58, 34, 98, 78, 75, 69, 108, 108, 113, 83, 118, 121, 54, 70, 122, 50, 67, 52, 76, 103, 83, 116, 66, 119, 73, 111, 106, 99, 71, 107, 106, 98, 70, 115, 82, 49, 105, 113, 73, 71, 116, 52, 71, 112, 103, 34, 44, 34, 114, 101, 102, 114, 101, 115, 104, 95, 116, 111, 107, 101, 110, 34, 58, 34, 45, 69, 69, 75, 45, 52, 75, 50, 110, 117, 101, 119, 55, 53, 114, 99, 112, 50, 49, 115, 49, 105, 88, 112, 81, 54, 52, 74, 103, 45, 71, 73, 88, 51, 101, 90, 100, 109, 117, 109, 88, 100, 48, 34, 44, 34, 115, 99, 111, 112, 101, 34, 58, 34, 111, 112, 101, 110, 105, 100, 34, 44, 34, 105, 100, 95, 116, 111, 107, 101, 110, 34, 58, 34, 101, 121, 74, 114, 97, 87, 81, 105, 79, 105, 73, 48, 98, 72, 108, 106, 99, 106, 104, 50, 101, 68, 100, 87, 97, 85, 70, 53, 99, 48, 115, 52, 87, 106, 74, 68, 87, 109, 57, 68, 97, 49, 100, 66, 98, 72, 78, 69, 78, 49, 86, 73, 86, 85, 90, 86, 85, 84, 86, 89, 79, 88, 66, 69, 90, 87, 100, 51, 73, 105, 119, 105, 89, 87, 120, 110, 73, 106, 111, 105, 85, 108, 77, 121, 78, 84, 89, 105, 102, 81, 46, 101, 121, 74, 122, 100, 87, 73, 105, 79, 105, 74, 67, 81, 87, 104, 116, 86, 50, 74, 77, 97, 86, 65, 50, 101, 87, 116, 116, 99, 51, 69, 51, 82, 108, 78, 110, 78, 85, 108, 89, 98, 107, 49, 77, 97, 87, 74, 51, 87, 108, 70, 116, 81, 109, 86, 50, 89, 122, 90, 122, 78, 68, 65, 52, 82, 107, 108, 83, 77, 51, 108, 90, 83, 88, 100, 50, 90, 87, 70, 68, 99, 109, 90, 90, 81, 109, 112, 108, 82, 71, 86, 90, 86, 72, 86, 75, 78, 108, 70, 69, 77, 68, 74, 54, 98, 71, 73, 121, 86, 49, 100, 66, 101, 87, 90, 80, 100, 70, 119, 118, 87, 84, 82, 115, 100, 110, 104, 70, 101, 109, 82, 119, 90, 51, 82, 117, 101, 107, 78, 48, 78, 86, 82, 105, 83, 48, 111, 48, 89, 50, 53, 107, 77, 71, 100, 77, 73, 105, 119, 105, 100, 88, 74, 117, 79, 109, 86, 48, 98, 50, 86, 110, 89, 87, 53, 110, 79, 109, 78, 118, 99, 109, 85, 54, 85, 50, 86, 121, 100, 109, 108, 106, 90, 85, 108, 69, 73, 106, 111, 105, 100, 88, 74, 117, 79, 109, 86, 48, 98, 50, 86, 110, 89, 87, 53, 110, 79, 107, 82, 87, 79, 106, 65, 119, 77, 68, 65, 119, 77, 68, 65, 122, 77, 106, 81, 48, 78, 68, 81, 119, 77, 68, 69, 119, 77, 68, 65, 119, 79, 110, 78, 108, 99, 110, 90, 112, 89, 50, 86, 122, 79, 106, 107, 120, 77, 68, 73, 105, 76, 67, 74, 49, 99, 109, 52, 54, 90, 88, 82, 118, 90, 87, 100, 104, 98, 109, 99, 54, 77, 83, 52, 53, 79, 109, 70, 48, 100, 72, 74, 112, 89, 110, 86, 48, 90, 84, 112, 69, 89, 88, 82, 108, 84, 50, 90, 67, 97, 88, 74, 48, 97, 67, 73, 54, 73, 106, 69, 53, 78, 84, 89, 116, 77, 68, 103, 116, 77, 68, 69, 105, 76, 67, 74, 104, 98, 88, 73, 105, 79, 105, 74, 122, 97, 87, 49, 49, 98, 71, 70, 48, 98, 51, 73, 105, 76, 67, 74, 112, 99, 51, 77, 105, 79, 105, 74, 111, 100, 72, 82, 119, 99, 122, 112, 99, 76, 49, 119, 118, 100, 109, 86, 121, 90, 71, 86, 121, 97, 71, 86, 115, 99, 71, 86, 117, 76, 88, 82, 121, 97, 87, 70, 115, 76, 110, 66, 121, 90, 83, 53, 112, 90, 84, 65, 120, 76, 110, 78, 112, 90, 50, 53, 112, 89, 50, 70, 48, 76, 110, 66, 121, 98, 49, 119, 118, 89, 110, 74, 118, 97, 50, 86, 121, 88, 67, 57, 122, 99, 70, 119, 118, 98, 50, 108, 107, 89, 121, 73, 115, 73, 110, 86, 121, 98, 106, 112, 108, 100, 71, 57, 108, 90, 50, 70, 117, 90, 122, 111, 120, 76, 106, 107, 54, 89, 88, 82, 48, 99, 109, 108, 105, 100, 88, 82, 108, 79, 107, 90, 112, 99, 110, 78, 48, 84, 109, 70, 116, 90, 83, 73, 54, 73, 108, 66, 108, 100, 72, 74, 49, 99, 121, 66, 88, 97, 87, 120, 111, 90, 87, 120, 116, 100, 88, 77, 103, 81, 87, 82, 121, 97, 87, 70, 117, 100, 88, 77, 105, 76, 67, 74, 117, 98, 50, 53, 106, 90, 83, 73, 54, 73, 107, 120, 69, 86, 71, 82, 67, 83, 70, 78, 86, 83, 85, 119, 53, 90, 108, 90, 69, 84, 48, 116, 54, 79, 72, 100, 78, 89, 50, 99, 105, 76, 67, 74, 104, 100, 87, 81, 105, 79, 105, 74, 109, 82, 88, 108, 108, 82, 50, 86, 114, 79, 87, 86, 89, 101, 70, 90, 117, 84, 50, 78, 86, 97, 108, 89, 53, 98, 87, 82, 86, 84, 69, 78, 84, 87, 107, 99, 52, 101, 69, 120, 68, 85, 105, 73, 115, 73, 110, 86, 121, 98, 106, 112, 108, 100, 71, 57, 108, 90, 50, 70, 117, 90, 122, 111, 120, 76, 106, 107, 54, 89, 88, 82, 48, 99, 109, 108, 105, 100, 88, 82, 108, 79, 107, 90, 104, 98, 87, 108, 115, 101, 85, 53, 104, 98, 87, 85, 105, 79, 105, 74, 67, 89, 87, 116, 114, 90, 88, 73, 105, 76, 67, 74, 49, 99, 109, 52, 54, 90, 88, 82, 118, 90, 87, 100, 104, 98, 109, 99, 54, 77, 83, 52, 120, 77, 106, 112, 70, 98, 110, 82, 112, 100, 72, 108, 68, 98, 50, 53, 106, 90, 88, 74, 117, 90, 87, 82, 74, 82, 68, 112, 81, 99, 50, 86, 49, 90, 71, 57, 74, 82, 67, 73, 54, 73, 107, 74, 66, 97, 71, 49, 88, 89, 107, 120, 112, 85, 68, 90, 53, 97, 50, 49, 122, 99, 84, 100, 71, 85, 50, 99, 49, 83, 86, 104, 117, 84, 85, 120, 112, 89, 110, 100, 97, 85, 87, 49, 67, 90, 88, 90, 106, 78, 110, 77, 48, 77, 68, 104, 71, 83, 86, 73, 122, 101, 86, 108, 74, 100, 51, 90, 108, 89, 85, 78, 121, 90, 108, 108, 67, 97, 109, 86, 69, 90, 86, 108, 85, 100, 85, 111, 50, 85, 85, 81, 119, 77, 110, 112, 115, 89, 106, 74, 88, 86, 48, 70, 53, 90, 107, 57, 48, 88, 67, 57, 90, 78, 71, 120, 50, 101, 69, 86, 54, 90, 72, 66, 110, 100, 71, 53, 54, 81, 51, 81, 49, 86, 71, 74, 76, 83, 106, 82, 106, 98, 109, 81, 119, 90, 48, 119, 105, 76, 67, 74, 122, 100, 87, 74, 113, 90, 87, 78, 48, 88, 50, 108, 122, 99, 51, 86, 108, 99, 105, 73, 54, 73, 110, 78, 112, 98, 88, 86, 115, 89, 88, 82, 118, 99, 105, 73, 115, 73, 109, 86, 52, 99, 67, 73, 54, 77, 84, 89, 52, 78, 68, 81, 119, 79, 84, 85, 120, 77, 83, 119, 105, 97, 87, 70, 48, 73, 106, 111, 120, 78, 106, 103, 48, 78, 68, 65, 52, 78, 106, 69, 120, 102, 81, 46, 80, 77, 74, 101, 80, 65, 114, 70, 80, 83, 79, 54, 65, 120, 74, 70, 100, 65, 72, 54, 106, 74, 77, 74, 108, 89, 98, 73, 55, 118, 89, 109, 76, 104, 56, 86, 95, 77, 101, 115, 98, 56, 80, 87, 97, 89, 81, 77, 52, 103, 120, 88, 75, 53, 112, 106, 99, 75, 74, 48, 69, 68, 77, 48, 112, 102, 114, 101, 104, 108, 77, 76, 86, 88, 98, 53, 115, 80, 75, 88, 112, 73, 85, 45, 78, 113, 71, 100, 72, 104, 120, 78, 87, 88, 82, 95, 82, 85, 56, 117, 113, 80, 48, 100, 104, 83, 74, 45, 65, 97, 119, 49, 121, 68, 70, 73, 101, 48, 73, 66, 75, 45, 55, 71, 103, 87, 70, 111, 101, 78, 106, 100, 98, 49, 87, 51, 73, 48, 118, 50, 70, 72, 85, 83, 95, 85, 78, 74, 107, 56, 53, 100, 83, 109, 79, 83, 120, 95, 101, 118, 84, 109, 109, 108, 85, 73, 72, 97, 49, 97, 57, 105, 100, 89, 84, 111, 81, 48, 98, 85, 101, 82, 106, 95, 112, 98, 95, 54, 73, 90, 68, 116, 67, 86, 88, 76, 57, 51, 90, 77, 73, 101, 105, 87, 121, 111, 122, 112, 121, 97, 76, 106, 121, 53, 101, 112, 119, 89, 107, 78, 79, 65, 107, 78, 122, 52, 78, 45, 120, 80, 76, 71, 49, 102, 105, 100, 70, 106, 100, 89, 78, 65, 110, 122, 87, 74, 116, 67, 105, 70, 107, 99, 97, 83, 102, 45, 84, 74, 55, 51, 50, 78, 65, 79, 121, 97, 116, 121, 112, 57, 86, 77, 118, 103, 65, 120, 73, 110, 69, 55, 85, 88, 110, 105, 87, 75, 45, 75, 70, 88, 50, 54, 83, 107, 114, 107, 97, 104, 116, 48, 114, 120, 51, 85, 86, 82, 52, 75, 73, 101, 76, 108, 81, 69, 75, 99, 78, 85, 88, 82, 107, 101, 103, 105, 84, 68, 109, 57, 50, 105, 106, 115, 104, 72, 90, 89, 48, 71, 57, 104, 98, 81, 34, 44, 34, 116, 111, 107, 101, 110, 95, 116, 121, 112, 101, 34, 58, 34, 66, 101, 97, 114, 101, 114, 34, 44, 34, 101, 120, 112, 105, 114, 101, 115, 95, 105, 110, 34, 58, 57, 48, 48, 125])

Looking at the raw request data in there, this looks completely valid to me:

{"access_token":"bNKEllqSvy6Fz2C4LgStBwIojcGkjbFsR1iqIGt4Gpg","refresh_token":"-EEK-4K2nuew75rcp21s1iXpQ64Jg-GIX3eZdmumXd0","scope":"openid","id_token":"eyJraWQiOiI0bHljcjh2eDdWaUF5c0s4WjJDWm9Da1dBbHNEN1VIVUZVUTVYOXBEZWd3IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJCQWhtV2JMaVA2eWttc3E3RlNnNUlYbk1MaWJ3WlFtQmV2YzZzNDA4RklSM3lZSXd2ZWFDcmZZQmplRGVZVHVKNlFEMDJ6bGIyV1dBeWZPdFwvWTRsdnhFemRwZ3RuekN0NVRiS0o0Y25kMGdMIiwidXJuOmV0b2VnYW5nOmNvcmU6U2VydmljZUlEIjoidXJuOmV0b2VnYW5nOkRWOjAwMDAwMDAzMjQ0NDQwMDEwMDAwOnNlcnZpY2VzOjkxMDIiLCJ1cm46ZXRvZWdhbmc6MS45OmF0dHJpYnV0ZTpEYXRlT2ZCaXJ0aCI6IjE5NTYtMDgtMDEiLCJhbXIiOiJzaW11bGF0b3IiLCJpc3MiOiJodHRwczpcL1wvdmVyZGVyaGVscGVuLXRyaWFsLnByZS5pZTAxLnNpZ25pY2F0LnByb1wvYnJva2VyXC9zcFwvb2lkYyIsInVybjpldG9lZ2FuZzoxLjk6YXR0cmlidXRlOkZpcnN0TmFtZSI6IlBldHJ1cyBXaWxoZWxtdXMgQWRyaWFudXMiLCJub25jZSI6IkxEVGRCSFNVSUw5ZlZET0t6OHdNY2ciLCJhdWQiOiJmRXllR2VrOWVYeFZuT2NValY5bWRVTENTWkc4eExDUiIsInVybjpldG9lZ2FuZzoxLjk6YXR0cmlidXRlOkZhbWlseU5hbWUiOiJCYWtrZXIiLCJ1cm46ZXRvZWdhbmc6MS4xMjpFbnRpdHlDb25jZXJuZWRJRDpQc2V1ZG9JRCI6IkJBaG1XYkxpUDZ5a21zcTdGU2c1SVhuTUxpYndaUW1CZXZjNnM0MDhGSVIzeVlJd3ZlYUNyZllCamVEZVlUdUo2UUQwMnpsYjJXV0F5Zk90XC9ZNGx2eEV6ZHBndG56Q3Q1VGJLSjRjbmQwZ0wiLCJzdWJqZWN0X2lzc3VlciI6InNpbXVsYXRvciIsImV4cCI6MTY4NDQwOTUxMSwiaWF0IjoxNjg0NDA4NjExfQ.PMJePArFPSO6AxJFdAH6jJMJlYbI7vYmLh8V_Mesb8PWaYQM4gxXK5pjcKJ0EDM0pfrehlMLVXb5sPKXpIU-NqGdHhxNWXR_RU8uqP0dhSJ-Aaw1yDFIe0IBK-7GgWFoeNjdb1W3I0v2FHUS_UNJk85dSmOSx_evTmmlUIHa1a9idYToQ0bUeRj_pb_6IZDtCVXL93ZMIeiWyozpyaLjy5epwYkNOAkNz4N-xPLG1fidFjdYNAnzWJtCiFkcaSf-TJ732NAOyatyp9VMvgAxInE7UXniWK-KFX26Skrkaht0rx3UVR4KIeLlQEKcNUXRkegiTDm92ijshHZY0G9hbQ","token_type":"Bearer","expires_in":900}

The decoded tokenid looks like this:

{
  "sub": "BAhmWbLiP6ykmsq7FSg5IXnMLibwZQmBevc6s408FIR3yYIwveaCrfYBjeDeYTuJ6QD02zlb2WWAyfOt/Y4lvxEzdpgtnzCt5TbKJ4cnd0gL",
  "urn:etoegang:core:ServiceID": "urn:etoegang:DV:00000003244440010000:services:9102",
  "urn:etoegang:1.9:attribute:DateOfBirth": "1956-08-01",
  "amr": "simulator",
  "iss": "https://verderhelpen-trial.pre.ie01.signicat.pro/broker/sp/oidc",
  "urn:etoegang:1.9:attribute:FirstName": "Petrus Wilhelmus Adrianus",
  "nonce": "LDTdBHSUIL9fVDOKz8wMcg",
  "aud": "fEyeGek9eXxVnOcUjV9mdULCSZG8xLCR",
  "urn:etoegang:1.9:attribute:FamilyName": "Bakker",
  "urn:etoegang:1.12:EntityConcernedID:PseudoID": "BAhmWbLiP6ykmsq7FSg5IXnMLibwZQmBevc6s408FIR3yYIwveaCrfYBjeDeYTuJ6QD02zlb2WWAyfOt/Y4lvxEzdpgtnzCt5TbKJ4cnd0gL",
  "subject_issuer": "simulator",
  "exp": 1684409511,
  "iat": 1684408611
}

Am I doing something weird/wrong or is this a bug in the library? I am using openidconnect version 3.0

Note: All data above is test data, and does not contain actual person identifying data.

ramosbugs commented 1 year ago

Hi @davidv1992,

As the error indicates, a sequence (JSON array) is expected at offset 273 of the ID token's decoded JSON blob, which corresponds to the amr claim ("simulator").

The spec defines the amr claim unambiguously as a JSON array of strings:

OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.

By providing a JSON string instead of an array of strings, this ID token is invalid. Unfortunately, there's no easy workaround since rewriting the JWT at the HTTP client layer would cause the ID token's signature validation to fail. I think you'll need to reach out to the OIDC provider to get them to follow the spec in order to interoperate with this crate.

davidv1992 commented 1 year ago

Ah thank you for the information, that explains a lot. I will contact the provider.