You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I found if I set client's Subject Type as Pairwise. Simple-web-app will show an exception: "user_id mismatch between id_token and user_info call".
I debugged and found the root cause is:
when idToken is generating PairwiseIdentifier in UUIDPairwiseIdentiferService:: getIdentifier(), it will query pairwise_identifier with userInfo.getSub(), and then in DefaultUserInfoService:: getByUsernameAndClientId():
if (SubjectType.PAIRWISE.equals(client.getSubjectType())) {
String pairwiseSub = pairwiseIdentifierService.getIdentifier(userInfo, client);
userInfo.setSub(pairwiseSub);
}
The generated pairwiseSub will overwrite the sub field in user_info table record.
Next, when client retrieves userinfo, DefaultUserInfoService:: getByUsernameAndClientId() is called again, and this time since userInfo.sub has been updated, so UUIDPairwiseIdentiferService::getIdentifier() will regenerate the pairwiseSub again. Then in client OIDCAuthenticationProvider:: authenticate(): then check !userInfo.getSub().equals(token.getSub())) will failed and the exception is thrown.
The text was updated successfully, but these errors were encountered:
Hi, I found if I set client's Subject Type as Pairwise. Simple-web-app will show an exception: "user_id mismatch between id_token and user_info call".
I debugged and found the root cause is:
when idToken is generating PairwiseIdentifier in UUIDPairwiseIdentiferService:: getIdentifier(), it will query pairwise_identifier with userInfo.getSub(), and then in DefaultUserInfoService:: getByUsernameAndClientId():
if (SubjectType.PAIRWISE.equals(client.getSubjectType())) {
String pairwiseSub = pairwiseIdentifierService.getIdentifier(userInfo, client);
userInfo.setSub(pairwiseSub);
}
The generated pairwiseSub will overwrite the sub field in user_info table record.
Next, when client retrieves userinfo, DefaultUserInfoService:: getByUsernameAndClientId() is called again, and this time since userInfo.sub has been updated, so UUIDPairwiseIdentiferService::getIdentifier() will regenerate the pairwiseSub again. Then in client OIDCAuthenticationProvider:: authenticate(): then check !userInfo.getSub().equals(token.getSub())) will failed and the exception is thrown.
The text was updated successfully, but these errors were encountered: