Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Userinfo when using a generic provider #3712

Closed
5 tasks done
robinknaapen opened this issue Jan 25, 2024 · 2 comments
Closed
5 tasks done

Userinfo when using a generic provider #3712

robinknaapen opened this issue Jan 25, 2024 · 2 comments
Labels
bug Something is not working.

Comments

@robinknaapen
Copy link

Preflight checklist

Ory Network Project

No response

Describe the bug

Kratos does not utilize userinfo call even though a provider has to be OIDC compliant.

In my scenario I have a legacy oauth2 server that is used by some applications. I did not want to alter existing code of this server.
So I choose to create a layer above this server that implemented the OIDC layer as well as the userinfo call.

This userinfo call returns some extra information that is necessary for newer applications and this information is not pressent in the id_token.

I've scoped through the code of the generic_provider and I could not see a userinfo call being used.

I can confirm this when I am going over the login flow and follow traces in the new service. No calls are made to the new userinfo call.

Reproducing the bug

  • Deploy a Kratos instance
  • Deploy a OIDC compliant service that returns a trait over the userinfo call that is not pressent in the id_token
  • Configure this service using the generic_provider in Kratos
  • Follow the login flow and login via OIDC with the above-mentioned service

The trait will not be in the received claims in the jsonnet mapper.

Relevant log output

No response

Relevant configuration

For debugging purposes, I have outputted all the claims to the traits object in the jsonnet mapper.


# kratos.yml
selfservice:
    oidc:
      enabled: true
      config:
        providers:
          - id: oidc_provider
            provider: generic
            subject_source: userinfo
            issuer_url: http://localhost:8081
            mapper_url: file://./mappers/oidc_provider_mapper.jsonnet
            requested_claims:
              id_token:
                ? name
              userinfo:
                ? custom
            scope:
              - profile 
              - openid
# ./mappers/oidc_provider_mapper.jsonnet
local claims = std.extVar('claims');

{
  identity: {
    traits: {
      claims: claims
    },
    metadata_public: {},
  },
}



### Version

v1.0.0

### On which operating system are you observing this issue?

Linux

### In which environment are you deploying?

Docker Compose

### Additional Context

_No response_
@robinknaapen robinknaapen added the bug Something is not working. label Jan 25, 2024
@robinknaapen
Copy link
Author

Related issues:

#3182
#518

I have found other issues mentioned above; but the solution was to create a custom provider. I understand in this case, since the implementation is pretty specific. But was a generic_oidc_provider considered anywhere along the way?

@robinknaapen
Copy link
Author

Fixed by: #3718

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@robinknaapen