Pairwise Subject Type cause "user_id mismatch between id_token and user_info call" exception on client side #1389
Comments
|
Oh good catch, that object should be detatched before returned. They aren't really meant to push edits back into the table. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I found if I set client's Subject Type as Pairwise. Simple-web-app will show an exception: "user_id mismatch between id_token and user_info call".
I debugged and found the root cause is:
when idToken is generating PairwiseIdentifier in UUIDPairwiseIdentiferService:: getIdentifier(), it will query pairwise_identifier with userInfo.getSub(), and then in DefaultUserInfoService:: getByUsernameAndClientId():
if (SubjectType.PAIRWISE.equals(client.getSubjectType())) {
String pairwiseSub = pairwiseIdentifierService.getIdentifier(userInfo, client);
userInfo.setSub(pairwiseSub);
}
The generated pairwiseSub will overwrite the sub field in user_info table record.
Next, when client retrieves userinfo, DefaultUserInfoService:: getByUsernameAndClientId() is called again, and this time since userInfo.sub has been updated, so UUIDPairwiseIdentiferService::getIdentifier() will regenerate the pairwiseSub again. Then in client OIDCAuthenticationProvider:: authenticate(): then check !userInfo.getSub().equals(token.getSub())) will failed and the exception is thrown.
The text was updated successfully, but these errors were encountered: