-
-
Notifications
You must be signed in to change notification settings - Fork 10.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2.1.0 oidc login failure #4791
Comments
Please refer the upgrade steps in 2.1.0 release note. |
Hi @nobodyiam , thanks for the hint, but the interesting thing is if i disable oidc login just use |
Looks like something went wrong when deserializing the oidc info:
|
Did you switch the authentication from default auth to oidc? You may also try to clean the spring sessions to see if it works. |
Hi @nobodyiam , followed the migration step, make sure the authentication is Thanks in advance! |
I haven't tested with oidc login but it seems related to the spring security version update.
|
Thanks in advance! |
you can try to add an environment variable for disabled the jdbc session to temporarily resolve this
|
Hi group, after add the env variable it seems like a workaround, just want to know if there's any config in protal so that we can just use profile/email for display name without uuid? Detail shows as below |
We encountered same problem when updating from 2.0.1 to 2.1.0, while portal was integrated with GitLab IdP. It refers to
GitLab's issued idToken has several claims (such as {
"iss": "https://gitlab.example.com",
"sub": "106",
"aud": "<REDACTED>",
"exp": 1681280989,
"iat": 1681280869,
"nonce": "uSD5tXSrl_0KSgylHL3uUzYEeKSPltPYov7i588EeDM",
"auth_time": 1681279017,
"sub_legacy": "<REDACTED>",
"email": "foo@bar.com",
"email_verified": true,
"groups_direct": [
"group1/sub-group1",
"group2"
]
} According to spring-projects/spring-security#12108, because Here is a unit test that reproduce this issue. @Test
public void testConversionService() {
// prepare JWT decoder with HS256 alg
String jwtSecret = "MY_APPLICATION_JWT_SECRET_KEY_DUMMY";
SecretKey secretKey = new SecretKeySpec(jwtSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withSecretKey(secretKey).build();
// prepare idToken
String idToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJncm91cHNfZGlyZWN0IjpbImdyb3VwMS9zdWItZ3JvdXAxIiwiZ3JvdXAyIl19.OQDbCoothbZR_2uLTpCb9tD0arxOsK0LB4p0H_2gDHM";
Jwt jwt = jwtDecoder.decode(idToken);
OidcIdToken oidcIdToken = new OidcIdToken(idToken, jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
// test conversion
ConversionService conversionService = new SpringSessionConfig().springSessionConversionService();
// serialize oidcIdToken to byte[]
byte[] serialized = (byte[]) conversionService.convert(oidcIdToken, TypeDescriptor.valueOf(Object.class),
TypeDescriptor.valueOf(byte[].class));
// deserialize byte[] to OidcIdToken
Object deserialized = conversionService.convert(serialized, TypeDescriptor.valueOf(byte[].class),
TypeDescriptor.valueOf(Object.class));
Assert.assertTrue(deserialized instanceof OidcIdToken);
} |
Thank you for sharing the comprehensive details. It appears the problem is not associated with the Spring Security update, as I encountered the same errors when executing the following code in version 2.0.1. Do you have any suggestion on how to @Test
public void testConversionService() {
// prepare JWT decoder with HS256 alg
String jwtSecret = "MY_APPLICATION_JWT_SECRET_KEY_DUMMY";
SecretKey secretKey = new SecretKeySpec(jwtSecret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
NimbusJwtDecoder jwtDecoder = NimbusJwtDecoder.withSecretKey(secretKey).build();
// prepare idToken
String idToken = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJncm91cHNfZGlyZWN0IjpbImdyb3VwMS9zdWItZ3JvdXAxIiwiZ3JvdXAyIl19.OQDbCoothbZR_2uLTpCb9tD0arxOsK0LB4p0H_2gDHM";
Jwt jwt = jwtDecoder.decode(idToken);
OidcIdToken oidcIdToken = new OidcIdToken(idToken, jwt.getIssuedAt(), jwt.getExpiresAt(), jwt.getClaims());
// test conversion
ConversionService conversionService = springSessionConversionService();
// serialize oidcIdToken to byte[]
byte[] serialized = (byte[]) conversionService.convert(oidcIdToken, TypeDescriptor.valueOf(Object.class),
TypeDescriptor.valueOf(byte[].class));
// deserialize byte[] to OidcIdToken
Object deserialized = conversionService.convert(serialized, TypeDescriptor.valueOf(byte[].class),
TypeDescriptor.valueOf(Object.class));
Assert.assertTrue(deserialized instanceof OidcIdToken);
}
public ConversionService springSessionConversionService() {
GenericConversionService conversionService = new GenericConversionService();
ObjectMapper objectMapper = new ObjectMapper();
objectMapper.registerModules(SecurityJackson2Modules.getModules(this.getClass().getClassLoader()));
conversionService.addConverter(Object.class, byte[].class, source -> {
try {
return objectMapper.writeValueAsBytes(source);
} catch (IOException e) {
throw new RuntimeException(
"Spring-session JSON serializing error, This is usually caused by the system upgrade, please clear the browser cookies and try again.",
e);
}
});
conversionService.addConverter(byte[].class, Object.class, source -> {
try {
return objectMapper.readValue(source, Object.class);
} catch (IOException e) {
throw new RuntimeException(
"Spring-session JSON deserializing error, This is usually caused by the system upgrade, please clear the browser cookies and try again.",
e);
}
});
return conversionService;
} |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 7 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions. |
any updates on it? |
This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions. |
This issue has been automatically closed because it has not had activity in the last 7 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions. |
Hi, is this problem solved in 2.2.0? AWS Cognito also gives the claim "groups" as an array, which I'd like to use it with Apollo. |
Describe the bug
2.1.0 login with oidc, it seems like there're some oidc issues
Expected behavior
portal login with oidc
Screenshots
Additional Details & Logs
apollo-portal (17).txt
@nobodyiam @vdisk-group
The text was updated successfully, but these errors were encountered: