OpenID Connect IdToken.parse(): expected primitive class, but got: java.util.List<java.lang.String>

Question

OpenID Connect IdToken.parse(): expected primitive class, but got: java.util.List<java.lang.String>

Andrei-Stepanov opened this issue 4 years ago · comments

Hello, I am not developer. Could you please help me? Your library is used at:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L398

It has code:

                    IdToken idToken = IdToken.parse(JSON_FACTORY, response.getIdToken());

It fails with:

java.lang.IllegalArgumentException: expected primitive class, but got: java.util.List<java.lang.String>
	at com.google.api.client.util.Data.parsePrimitiveValue(Data.java:453)
	at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:859)
Caused: java.lang.IllegalArgumentException: key amr, field private java.util.List com.google.api.client.auth.openidconnect.IdToken$Payload.methodsReferences
	at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:889)
	at com.google.api.client.json.JsonParser.parse(JsonParser.java:472)
	at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:781)
Caused: java.lang.IllegalArgumentException: key amr
	at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:889)
	at com.google.api.client.json.JsonParser.parse(JsonParser.java:382)
	at com.google.api.client.json.JsonParser.parse(JsonParser.java:336)
	at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:166)
	at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:148)
	at com.google.api.client.json.JsonFactory.fromInputStream(JsonFactory.java:206)
	at com.google.api.client.json.webtoken.JsonWebSignature$Parser.parse(JsonWebSignature.java:612)
	at com.google.api.client.auth.openidconnect.IdToken.parse(IdToken.java:155)

Could you please give a hint?

URL is: https://xxxxx.org/securityRealm/finishLogin?code=xxxxxx-0601-42d5-bc79-5fa2fa824d4d_PBsdcfjI8iRqBdaLlpGgFZQ3bjJFwRRX&state=XDk4NDM3OWQtMDYwMS00

Thank you!

Andrei-Stepanov · Answer 1 · Thu Jun 18 2020 04:54:14 GMT+0800 (China Standard Time)

From https://openid.net/specs/openid-connect-core-1_0-17.html :

amr
OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.

Andrei-Stepanov · Answer 2 · Thu Jun 18 2020 04:59:43 GMT+0800 (China Standard Time)

Bug in: https://github.com/googleapis/google-oauth-java-client/blob/master/google-oauth-client/src/main/java/com/google/api/client/auth/openidconnect/IdToken.java#L194

    @Key("amr")
    private List<String> methodsReferences;

Andrei-Stepanov · Answer 3 · Thu Jun 18 2020 05:15:12 GMT+0800 (China Standard Time)

Caused by IdP: https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/openidc/auth.py#_506

id_token['amr'] = json.dumps([])

Sounds like issue in google-oauth-java-client library.

Andrei-Stepanov · Answer 4 · Thu Jun 18 2020 19:11:24 GMT+0800 (China Standard Time)

Token is:

{
  "acr": "0",
  "amr": "[]",
  "aud": "osci-jenkins",
  "auth_time": 1592123255,
  "azp": "osci-jenkins",
  "c_hash": "p-HhSZTs2XXXXXuOl6XGA",
  "exp": 1592479007,
  "iat": 1592478407,
  "iss": "https://id.fedoraproject.org/openidc/",
  "nonce": null,
  "sub": "fe21ec53bb833f35453370804c211f7XXXXX37f9bda3a6bd80e72161b37cba"
}

Andrei-Stepanov · Answer 5 · Thu Jun 18 2020 20:49:13 GMT+0800 (China Standard Time)

Issue on Idp side:
https://pagure.io/ipsilon/issue/339
Closing bug.