Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Crash when sending long attributes in OpenID Connect authentication #2689

Open
DanielMalmgren opened this issue Sep 20, 2023 · 1 comment
Open

Crash when sending long attributes in OpenID Connect authentication #2689

DanielMalmgren opened this issue Sep 20, 2023 · 1 comment
Labels
bug Something isn't working PowerShell Universal Issue relates to PowerShell Universal. requires triage Issue has not yet been verified by the development team.

Comments

@DanielMalmgren
Copy link

Version

4.0.12

Severity

Low

Steps to Reproduce

In an OpenID Connect federation, set up the identity provider so that it sends a very long attribute/claim in the login flow. In my case it's an attribute named "groups" which contains all my AD groups, it's a string that is above 2000 characters.

I also mentioned this in the forums

Expected behavior

Psu should accept the attribute and use it. For the groups attribute, it should be used for authorization.

Actual behavior

Complete crash.

Pasting what I get in the log below:

2023-09-13 11:32:46.559 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/ - -
2023-09-13 11:32:46.559 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:46.559 +02:00 [VRB] This request accepts compression.
2023-09-13 11:32:46.559 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'SessionMiddleware').
2023-09-13 11:32:46.559 +02:00 [DBG] The request path / does not match a supported file type
2023-09-13 11:32:46.559 +02:00 [DBG] The request path  does not match the path filter
2023-09-13 11:32:46.559 +02:00 [DBG] Request did not match any endpoints
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'System.String', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [VRB] Performing protect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:46.564 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/ - - - 302 0 - 5.1100ms2023-09-13 11:32:57.788 +02:00 [INF] Request starting HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - -
2023-09-13 11:32:57.788 +02:00 [VRB] All hosts are allowed.
2023-09-13 11:32:57.789 +02:00 [VRB] Performing unprotect operation to key {8a65e556-5c21-460f-8cc3-170a2845b632} with purposes ('C:\Program Files (x86)\Universal\', 'Microsoft.AspNetCore.Authentication.OpenIdConnect.OpenIdConnectHandler', 'OpenIdConnect', 'v1').
2023-09-13 11:32:57.789 +02:00 [ERR] Connection id "0HMTJCELR3K2I", Request id "0HMTJCELR3K2I:00000003": An unhandled exception was thrown by the application.
System.Exception: An error was encountered while handling the remote login.
 ---> Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectProtocolException: Message contains error: 'server_error', error_description: 'the server encountered an unexpected error', error_uri: 'error_uri is null'.
   --- End of inner exception stack trace ---
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.HandleRequestAsync()
   at Microsoft.AspNetCore.Authentication.AuthenticationMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Server.Kestrel.Core.Internal.Http.HttpProtocol.ProcessRequests[TContext](IHttpApplication`1 application)
2023-09-13 11:32:57.790 +02:00 [INF] Request finished HTTP/2 GET https://<OBFUSCATED>/auth/signin-oidc?error_description=the+server+encountered+an+unexpected+error&state=CfDJ8FblZYohXA9GjMMXCihFtjJVlSMMQBodSAtgJqdYSw7NGE0pNkn_uL6vFiszZVkSYUDKTfeY4mwmdqZ37HvUv2jKyv9ATMAl6sEJkUrb3RB9Kwm-kQJiWntEY0ugnfG-3asxPxeWFcDPs6YFJE8bzWmqV1MAoJBDf0g2CMkNCCOJciUnLAghGRAQTYGNdBtcEMR31Up1BXeu3cq3pVIslrJ0PUU0Z8r1253bADoDrk31_tIVLxIWtZzEw4f0uIttAqe8_xY8HyFbqcyU0C4tPQQutj2Z8eMb3R3tT58D2YuXFapNW0KaN-17XL1N5OTeWSWT7mr8PXS5fVueBHpO0D6VhfVS-H1dgeQcwhqiMBi5JxSoBPeIp9dvPCZ8sSMvDw&error=server_error - - - 500 0 - 1.4839ms

Additional Environment data

OS: Windows Server 2019 Datacenter

Visuals

No response
@DanielMalmgren DanielMalmgren added bug Something isn't working PowerShell Universal Issue relates to PowerShell Universal. requires triage Issue has not yet been verified by the development team. labels Sep 20, 2023
@adamdriscoll
Copy link
Member

This issue has been mentioned on Ironman Software Forums. There might be relevant details there:

https://forums.ironmansoftware.com/t/problem-with-groups-in-oauth2-attribute/9706/2

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working PowerShell Universal Issue relates to PowerShell Universal. requires triage Issue has not yet been verified by the development team.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@adamdriscoll @DanielMalmgren