Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] OpenIdConnectConfigurationSerializer Read() method does not parse UseInfoEndpoint correctly #2548

Closed
13 tasks
martinb69 opened this issue Apr 5, 2024 · 1 comment · Fixed by #2550
Closed
13 tasks
Milestone

Comments

@martinb69
Copy link
Contributor

martinb69 commented Apr 5, 2024

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.
Microsoft.IdentityModel 7.5

Where is the issue?

  • M.IM.JsonWebTokens
  • M.IM.KeyVaultExtensions
  • M.IM.Logging
  • M.IM.ManagedKeyVaultSecurityKey
  • M.IM.Protocols
  • [*] M.IM.Protocols.OpenIdConnect
  • M.IM.Protocols.SignedHttpRequest
  • M.IM.Protocols.WsFederation
  • M.IM.TestExtensions
  • M.IM.Tokens
  • M.IM.Tokens.Saml
  • M.IM.Validators
  • M.IM.Xml
  • S.IM.Tokens.Jwt
  • Other (please describe)

Is this a new or an existing app?

The issue started after switching to another identityprovider

Repro

See Microsoft.IdentityModel.Protocols.OpenIdConnect / OpenIdConnectConfigurationSerializer.cs
The MetadataName.ScopesSupported is wrong and should be MetadataName.UserInfoEndpoint.

else if (reader.ValueTextEquals(Utf8Bytes.UserInfoEndpoint))
   config.UserInfoEndpoint = JsonPrimitives.ReadString(ref reader, MetadataName.ScopesSupported, ClassName, true);

Expected behavior
Parse all fields of the OpenIdConnect info endpoint correctly

Actual behavior
The OpenIdConnectConfigurationSerializer class does not parse the UserInfoEndpoint correctly from the OpenIdConnect discovery endpoint. As a result the next field (in my case "jwks_uri") is not parsed.

Possible solution
Code change:

else if (reader.ValueTextEquals(Utf8Bytes.UserInfoEndpoint))
      config.UserInfoEndpoint = JsonPrimitives.ReadString(ref reader, MetadataName.UserInfoEndpoint, ClassName, true);

Additional context / logs / screenshots / links to code
Parse the following document from OpenIdConnect discovery endpoint where "jwks_uri" is not parsed resulting in missing singing keys:
{
"issuer": "https://identity_tests_dll/auth",
"authorization_endpoint": "https://identity_tests_dll/auth/connect/authorize",
"token_endpoint": "https://identity_tests_dll/auth/connect/token",
"end_session_endpoint": "https://identity_tests_dll/auth/connect/logout",
"userinfo_endpoint": "https://identity_tests_dll/auth/connect/userinfo",
"jwks_uri": "https://identity_tests_dll/auth/.well-known/jwks",
"grant_types_supported": [
"authorization_code",
"refresh_token",
"client_credentials",
"password"
],
"response_types_supported": [
"code"
],
"response_modes_supported": [
"form_post",
"fragment",
"query"
],
"scopes_supported": [
"openid",
"email",
"profile",
"roles",
"api.provision",
"api.session",
"api.organization",
"user",
"offline_access"
],
"claims_supported": [
"aud",
"exp",
"iat",
"iss",
"sub"
],
"id_token_signing_alg_values_supported": [
"RS256"
],
"code_challenge_methods_supported": [
"plain",
"S256"
],
"subject_types_supported": [
"public"
],
"token_endpoint_auth_methods_supported": [
"client_secret_post",
"private_key_jwt",
"client_secret_basic"
],
"claims_parameter_supported": false,
"request_parameter_supported": false,
"request_uri_parameter_supported": false,
"authorization_response_iss_parameter_supported": true
}

@jennyf19
Copy link
Collaborator

jennyf19 commented Apr 5, 2024

Including in the 7.5.1 release @martinb69

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
3 participants