-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT validation failed using Cognito with Google Oauth2 #346
Comments
The problem, the nonce is not being persisted and thus we are not able to validate it. A workaround is to disable the nonce validator: package io.micronaut.security.oauth2.endpoint.token.response.validation;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.micronaut.context.annotation.Replaces;
import io.micronaut.security.oauth2.client.OpenIdProviderMetadata;
import io.micronaut.security.oauth2.configuration.OauthClientConfiguration;
import io.micronaut.security.oauth2.endpoint.token.response.OpenIdClaims;
@Replaces(NonceClaimValidator.class)
public class NonceClaimValidatorReplacement extends NonceClaimValidator {
@Override
public boolean validate(OpenIdClaims claims,
OauthClientConfiguration clientConfiguration,
OpenIdProviderMetadata providerMetadata,
@Nullable String nonce) {
return true;
}
} I will add several PRs to improve logs and ease override and fix this. In your code, add I also modified thymeleaf to get the cognito username because I am not getting an email back from gmail signin
|
We include a nonce. More info about nonce validation https://openid.net/specs/openid-connect-core-1_0.html#IDToken
|
Thanks for the workaround (and looking into the problem)! |
Instead of disabling validation (delete
This will persist the nonce into a cookie and you will be able to validate it with the regular validator (without disabling it). This will be shipped into the micronuat security module see(linked PRS) in the next patch version. |
Thanks @sdelamo! |
@sdelamo I was creating a test to make this workaround pass the coverage quality gate test, and when I tested
This function is being called? Because according to the test and the file The test file (incomplete):
|
We are updating to Micronaut 2.0, but a problem occur with our current login workflow. We use cognito as our authentication provider and the login is made using Google.
When we try to sign in in the first time, we receive the following error:
If we go back to the sign in page and try again the authentication proccess is successful.
Steps to Reproduce
client-id
,client-secret
and the necessary fields in issuer in theapplication.yml
.Expected Behaviour
The authentication should be successful in the first try.
Actual Behaviour
It fail once, then it authenticate.
Environment Information
The text was updated successfully, but these errors were encountered: