-
-
Notifications
You must be signed in to change notification settings - Fork 330
-
We have a claim (roles) in the ID token that is an array of objects and this is triggering a warning on every request as they cannot be parsed.
"roles": [
{
"type": "xxxxxxxxxxxxxxx",
"value": "xxxxxxxxxxxxxxx"
},
{
"type": "xxxxxxxxxxxxxxx",
"value": "xxxxxxxxxxxxxxx"
}
],
This means we get a tsunami of warnings since all sessions/tokens contain the same claim structure. If we try to reduce the log levels for this module we miss out on other much more useful warnings.
[Fri Jul 19 06:52:57.034856 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034853 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034698 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034695 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.003063 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.003060 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.002909 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.002905 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:56.778863 2024] [auth_openidc:warn] [pid 1660885:tid 140259245377280] [client 10.42.193.53:34374] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:56.778863 2024] [auth_openidc:warn] [pid 1660885:tid 140259245377280] [client 10.42.193.53:34374] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
It kind of goes against principles of log level verbosity where warnings should be infrequent and not on every transaction/request. As I suspect in most cases, just like we have found, if this condition is met its highly likely to be met on all requests.
code reference:
Line 1625 in 94f832f
Could this please be changed to debug instead of warn?
Beta Was this translation helpful? Give feedback.
All reactions
Replies: 5 comments 4 replies
-
How about blacklisting the claim with OIDCBlackListedClaims or even better, have the IDP not issue unused claims at all?
Beta Was this translation helpful? Give feedback.
All reactions
-
The claim is integral to the identity solution so we need it in ID tokens sent downstream. It looks like OIDCBlackListedClaims would also remove from the ID token.
Beta Was this translation helpful? Give feedback.
All reactions
-
I see, it is now changed in ea3af87
Beta Was this translation helpful? Give feedback.
All reactions
-
❤️ 1
-
Thank you!
Beta Was this translation helpful? Give feedback.
All reactions
-
this is now released in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4
Beta Was this translation helpful? Give feedback.
All reactions
-
I have also seen this same error with nested claims, that are valid json.
I'm curious why mod_auth_openidc won't unpack nclarkau's claim (roles) ?
does it not conform to the OIDC spec?
thanks
Beta Was this translation helpful? Give feedback.
All reactions
-
which version of mod_auth_openidc are you using?
Beta Was this translation helpful? Give feedback.
All reactions
-
currently 2.4.17
Beta Was this translation helpful? Give feedback.
All reactions
-
The idea behind passing claims in headers is that they can be consumed as name/value pairs easily by applications, without requiring them to parsing JSON, that is why only (mostly) basic types are supported. If your application requires consuming a nested JSON object, you'll need to parse JSON in the application anyhow and you can use OIDCPassUserInfoAs json (and/or OIDCPassIDTokenAs payload) to pass the full contents of the Userinfo and/or ID Token in JSON format.
Beta Was this translation helpful? Give feedback.
All reactions
-
👍 1