Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

claims parameter in signed object fails #206

Open
phavekes opened this issue Oct 18, 2024 · 2 comments
Open

claims parameter in signed object fails #206

phavekes opened this issue Oct 18, 2024 · 2 comments
Labels

Comments

@phavekes
Copy link
Member

This issue is imported from pivotal - Originaly created at Sep 15, 2022 by Bart Geesink

You can use a signed JWT to encode your authorization request. If I add the claims parameter, it will cause an error. See attachment for the stacktrace.

The decoded jwt used looks like this:

{
"iss": "oidctest",
"aud": "https://connect.test.surfconext.nl",
"claims": {
"id_token": {
"email": null
}
},
"response_type": "code",
"scope": "openid",
"client_id": "oidctest",
"state": "O5pZvW_cPJjPCZm87eHPqplnL1A",
"redirect_uri": "https://spdtest.surfconext.nl/oidc/redirect",
"nonce": "tAw5hSn8HxKahbAFlS7J9kOikbnz2I21_gt1NL1KrAk"
}

@phavekes
Copy link
Member Author

@bartgeesink You forgot to attach the stack-trace. When I try this with the playground it works. The difference being that the claims field is a string with escaped JSON. I think this is spec mandatory (but I\'m not sure).
{
  "header": {
    "alg": "RS256",
    "kid": "play_key_id",
    "typ": "JWT"
  },
  "state": "SIGNED",
  "payload": {
    "aud": "audience",
    "claims": "{\"id_token\":{\"email\":null}}",
    "client_id": "playground_client",
    "exp": 1663247285,
    "iat": 1663243685,
    "iss": "playground_client",
    "jti": "d2b8a21c-7a2c-451c-883f-ec8f74acc486",
    "nbf": 1663243685,
    "nonce": "example",
    "redirect_uri": "https://oidc-playground.test2.surfconext.nl/redirect",
    "response_mode": "query",
    "response_type": "code",
    "scope": "openid",
    "state": "example",
    "sub": "playground_client"
  }
}
``` (Okke Harsta - Sep 15, 2022)

@phavekes
Copy link
Member Author

The example shown in paragraph 6.1 of the spec shows the non escaped json. The spec itself is not very clear, but other implementations do not escape.

I've attached the error now (Bart Geesink - Sep 15, 2022)

@phavekes phavekes removed their assignment Oct 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Icebox
Development

No branches or pull requests

1 participant