OpenID Connect IdToken.parse(): expected primitive class, but got: java.util.List<java.lang.String>
Andrei-Stepanov opened this issue · comments
Andrei-Stepanov commented
Hello, I am not developer. Could you please help me? Your library is used at:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L398
It has code:
IdToken idToken = IdToken.parse(JSON_FACTORY, response.getIdToken());
It fails with:
java.lang.IllegalArgumentException: expected primitive class, but got: java.util.List<java.lang.String>
at com.google.api.client.util.Data.parsePrimitiveValue(Data.java:453)
at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:859)
Caused: java.lang.IllegalArgumentException: key amr, field private java.util.List com.google.api.client.auth.openidconnect.IdToken$Payload.methodsReferences
at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:889)
at com.google.api.client.json.JsonParser.parse(JsonParser.java:472)
at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:781)
Caused: java.lang.IllegalArgumentException: key amr
at com.google.api.client.json.JsonParser.parseValue(JsonParser.java:889)
at com.google.api.client.json.JsonParser.parse(JsonParser.java:382)
at com.google.api.client.json.JsonParser.parse(JsonParser.java:336)
at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:166)
at com.google.api.client.json.JsonParser.parseAndClose(JsonParser.java:148)
at com.google.api.client.json.JsonFactory.fromInputStream(JsonFactory.java:206)
at com.google.api.client.json.webtoken.JsonWebSignature$Parser.parse(JsonWebSignature.java:612)
at com.google.api.client.auth.openidconnect.IdToken.parse(IdToken.java:155)
Could you please give a hint?
Thank you!
Andrei-Stepanov commented
From https://openid.net/specs/openid-connect-core-1_0-17.html :
amr
OPTIONAL. Authentication Methods References. JSON array of strings that are identifiers for authentication methods used in the authentication. For instance, values might indicate that both password and OTP authentication methods were used. The definition of particular values to be used in the amr Claim is beyond the scope of this specification. Parties using this claim will need to agree upon the meanings of the values used, which may be context-specific. The amr value is an array of case sensitive strings.
Andrei-Stepanov commented
@Key("amr")
private List<String> methodsReferences;
Andrei-Stepanov commented
Caused by IdP: https://pagure.io/ipsilon/blob/master/f/ipsilon/providers/openidc/auth.py#_506
id_token['amr'] = json.dumps([])
Sounds like issue in google-oauth-java-client library.
Andrei-Stepanov commented
Token is:
{
"acr": "0",
"amr": "[]",
"aud": "osci-jenkins",
"auth_time": 1592123255,
"azp": "osci-jenkins",
"c_hash": "p-HhSZTs2XXXXXuOl6XGA",
"exp": 1592479007,
"iat": 1592478407,
"iss": "https://id.fedoraproject.org/openidc/",
"nonce": null,
"sub": "fe21ec53bb833f35453370804c211f7XXXXX37f9bda3a6bd80e72161b37cba"
}
Andrei-Stepanov commented
Issue on Idp side:
https://pagure.io/ipsilon/issue/339
Closing bug.