Bug: OpenID Address Claim Does Not Conform to OpenID Standard

[Congyuwang]

In OpenID token, Address should be a json object not an array of string. This causes more rigorous openID client libraries to reject responses from Casdoor.

Failed to parse payload JSON: Error(\"invalid length 0, expected struct AddressClaim with 6 elements\", line: 1, column: 1578) at line 8 column 1)

See OpenID Connect 1.0 Spec: https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim

[casbin-bot]

@seriouszyx @ComradeProgrammer @Resulte

[Congyuwang]

I use https://docs.rs/openidconnect/latest/openidconnect/ openidconnect library in rust.

[Congyuwang]

Quote from https://openid.net/specs/openid-connect-core-1_0.html#AddressClaim

The Address Claim represents a physical mailing address. Implementations MAY return only a subset of the fields of an address, depending upon the information available and the End-User's privacy preferences. For example, the country and region might be returned without returning more fine-grained address information.

Implementations MAY return just the full address as a single string in the formatted sub-field, or they MAY return just the individual component fields using the other sub-fields, or they MAY return both. If both variants are returned, they SHOULD be describing the same address, with the formatted address indicating how the component fields are combined.

• formatted: Full mailing address, formatted for display or use on a mailing label. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
• street_address: Full street address component, which MAY include house number, street name, Post Office Box, and multi-line extended street address information. This field MAY contain multiple lines, separated by newlines. Newlines can be represented either as a carriage return/line feed pair ("\r\n") or as a single line feed character ("\n").
• locality: City or locality component.
• region: State, province, prefecture, or region component.
• postal_code: Zip code or postal code component.
• country: Country name component.

[Congyuwang]

Note that opened-connect-core advice the possibility of returning "just the full address as a single string in the formatted sub-field". That is, it is also acceptable to include only the formatted field without including the other subfields such as street_address and so on.

[Congyuwang]

Therefore, in short, I would consider the previous reverted {formatted: "some address string"} as a valid compliance solution to AddressClaim.

[hsluoyz]

@Congyuwang the previous PR was reverted because it has broken all our SDK code. All applications will fail. Can you make a PR to make a perfect fix?

[hsluoyz]

@gtn1024

[Congyuwang]

I think a figured a solution. That is to implement access_token and openid_token separately. So you can have your SDKs still use the old access_token format, while improving your compliance to OpenID protocol.