New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a new attribute's type to handle attributes containing JSON data more gracefully in OIDC flows #822

Open
aliaksander-samuseu opened this Issue Jun 13, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@aliaksander-samuseu
Contributor

aliaksander-samuseu commented Jun 13, 2018

A bit of context:

Currently, if an attribute's type is text, and a JSON object is stored in it, when this attribute's value is included in JSON object of /userinfo response during an OIDC flow, it's re-encoded as a regular string value.

Example:
A JSON object like below

{"salt": "macnh", "test_bool": true}

...is changed into this:

"{\"salt\": \"macnh\", \"test_bool\": true}"

Even if this attribute's value is set via web UI, it's still represented as an JSON in LDAP, so apparently it's re-encoded on the fly when userinfo request is being served.

It's should be noted that it's possible to include enclosed JSON objects into the base JSON object of userinfo response from within dynamic scope script, so technically it shouldn't be that hard to make it properly handle JSON objects persisted in attributes in LDAP as well.

Original ticket where it was reported is here

Suggestion:

Add a new attribute's type "JSON" selectable in "Type" dropdown list when it's created/modified, to handle this case more gracefully. If such type is detected when claim's value is being composed, oxAuth will verify it's a valid JSON object and will encode it correspondingly before adding to userinfo's response. Should work both for cases when claims are fetched from userinfo, and when they are included in id_token (when the legacy mode is enabled)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment