Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User info fails to unmarshal when email_verified is a string #63

Closed
Deadleg opened this issue May 13, 2021 · 1 comment · Fixed by #82
Closed

User info fails to unmarshal when email_verified is a string #63

Deadleg opened this issue May 13, 2021 · 1 comment · Fixed by #82
Labels
bug Something isn't working

Comments

@Deadleg
Copy link

Deadleg commented May 13, 2021

Is this a bug report or feature request?

  • Bug Report

Describe the bug
When using AWS Cognito the email_verified field is a string "true" instead of a boolean, causing an unmarshal error in

oidc-authservice/oidc.go

Line 81 in 6f251f1

if err := json.Unmarshal(body, &userInfo); err != nil {
.

It appears that apple and paypal have similar issues with using string values as well. This is nonconformant to the OpenID spec, but it's annoying enough to want work around.

How to Reproduce
Steps to reproduce the behavior:

  1. Deploy AuthService using Cognito as the OIDC IdP.
  2. Start the auth code sign in.
  3. Sign in to Cognito.
  4. Return to AuthService authorization callback, which will error while retrieving you user info.

Expected behavior
Sign in should work and retrieve your email.

Config Files
All defaults except for the mandatory OAuth client id etc.

Logs

level=error msg="Not able to fetch userinfo: oidc: failed to decode userinfo: json: cannot unmarshal string into Go struct field UserInfo.email_verified of type bool"

Environment:

  • AuthService version: fef11c3
  • Platform: EKS + kubeflow 1.3
  • Kubernetes version: 1.19

Additional context
This patch fixes the issue:

diff --git a/oidc.go b/oidc.go
index 3147706..586d0a4 100644
--- a/oidc.go
+++ b/oidc.go
@@ -16,7 +16,7 @@ type UserInfo struct {
        Subject       string `json:"sub"`
        Profile       string `json:"profile"`
        Email         string `json:"email"`
-       EmailVerified bool   `json:"email_verified"`
+       EmailVerified bool   `json:"email_verified,string"`
 
        RawClaims []byte
 }
@Deadleg Deadleg added the bug Something isn't working label May 13, 2021
@yanniszark
Copy link
Contributor

@Deadleg thanks for reporting this!
It's very interesting to see that AWS, Paypal and Apple have bugs in their OIDC implementation.
I would like to ask:

  • Do you know if there is any issue in an AWS repo tracking this bug?
  • Do you have any information about how other OIDC clients in the wild handle this special case? This is essentially going off-spec.

@athamark athamark mentioned this issue Feb 14, 2022
Merged
johnbuluba pushed a commit that referenced this issue Feb 14, 2022
@johnbuluba
oidc: handle email_verified for bool and string values
9340e70 
Extend the GetUserInfo() function of the oidc.go to handle both
booleans and string values for the email_verified field of the
UserInfo struct. The OIDC spec defined that this field MUST have
boolean value, however some external Identity Providers deviate
from this spec and use string values for this field. AuthService
will now cover both types (e.g., true, "true"...).

GitHub-PR: #82
Closes #63

Signed-off-by: Athanasios Markou <athamark@arrikto.com>
Reviewed-by: Ioannis Bouloumpasis <buluba@arrikto.com>
@athamark athamark mentioned this issue Feb 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

oidc: handle email_verified for bool and string values arrikto/oidc-authservice
2 participants
@yanniszark @Deadleg