Contrib.social

Registered claims error after upgrading from 5.0.5 to 5.2.0.

Open on Drupal.org β†’
Created on 6 January 2022, over 2 years ago
Updated 11 June 2024, 16 days ago

Problem/Motivation

Error: Lcobucci\JWT\Token\RegisteredClaimGiven: Builder#withClaim() is meant to be used for non-registered claims, check the documentation on how to set claim "sub" in Lcobucci\JWT\Token\RegisteredClaimGiven::forClaim() (line 18 of /app/vendor/lcobucci/jwt/src/Token/RegisteredClaimGiven.php).

Steps to reproduce

Setup a Drupal provider.
Setup an external consumer which expects a "sub" field mapping.

Proposed resolution

I don't know if this is a problem with my implementation, simple_oauth or the underlying package. 'sub' is one of the claims fields used by simple_oath default normalizer, but it seems like others would be experiencing this issue.
* Should I override the normalizer and set the claims (getClaimsFromAccount) without 'sub'?
* Is 5.2 compatible with lesser versions (3.4) of lcobucci/jwt? Are others explicitly using lower version?

I downgraded to 5.0.6 and our implementation started working again, but would like to figure out the source of this issue.

FULL TRACE

Lcobucci\JWT\Token\RegisteredClaimGiven: Builder#withClaim() is meant to be used for non-registered claims, check the documentation on how to set claim "sub" in Lcobucci\JWT\Token\RegisteredClaimGiven::forClaim() (line 18 of /app/vendor/lcobucci/jwt/src/Token/RegisteredClaimGiven.php).
Lcobucci\JWT\Token\Builder->withClaim('sub', '5') (Line: 89)
OpenIDConnectServer\IdTokenResponse->getExtraParams(Object) (Line: 51)
League\OAuth2\Server\ResponseTypes\BearerTokenResponse->generateHttpResponse(Object) (Line: 208)
League\OAuth2\Server\AuthorizationServer->respondToAccessTokenRequest(Object, Object) (Line: 87)
Drupal\simple_oauth\Controller\Oauth2Token->handleToken(Object, Object) (Line: 63)
Drupal\simple_oauth\Controller\Oauth2Token->token(Object)
call_user_func_array(Array, Array) (Line: 123)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 564)
Drupal\Core\Render\Renderer->executeInRenderContext(Object, Object) (Line: 124)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->wrapControllerExecutionInRenderContext(Array, Array) (Line: 97)
Drupal\Core\EventSubscriber\EarlyRenderingControllerWrapperSubscriber->Drupal\Core\EventSubscriber\{closure}() (Line: 158)
Symfony\Component\HttpKernel\HttpKernel->handleRaw(Object, 1) (Line: 80)
Symfony\Component\HttpKernel\HttpKernel->handle(Object, 1, 1) (Line: 67)
Drupal\simple_oauth\HttpMiddleware\BasicAuthSwap->handle(Object, 1, 1) (Line: 58)
Drupal\Core\StackMiddleware\Session->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\KernelPreHandle->handle(Object, 1, 1) (Line: 106)
Drupal\page_cache\StackMiddleware\PageCache->pass(Object, 1, 1) (Line: 85)
Drupal\page_cache\StackMiddleware\PageCache->handle(Object, 1, 1) (Line: 50)
Drupal\ban\BanMiddleware->handle(Object, 1, 1) (Line: 48)
Drupal\Core\StackMiddleware\ReverseProxyMiddleware->handle(Object, 1, 1) (Line: 51)
Drupal\Core\StackMiddleware\NegotiationMiddleware->handle(Object, 1, 1) (Line: 23)
Stack\StackedHttpKernel->handle(Object, 1, 1) (Line: 708)
Drupal\Core\DrupalKernel->handle(Object) (Line: 19)

Thanks.

πŸ› Bug report
Status

Needs work

Version

5.2

Component

OpenID Connect

Created by

πŸ‡ΊπŸ‡ΈUnited States bfuzze9898

Live updates comments and jobs are added and updated live.
  • Needs tests

    The change is currently missing an automated test that fails when run with the original code, and succeeds when the bug has been fixed.

Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • Merge request !66Issue #3257293 by jkdev: Registered claims error after upgrading from 5.0.5 to 5.2.0 β†’ (Open) created by sanduhrs
  • Comment about 1 year ago β†’
    πŸ‡¨πŸ‡³China zterry95

    MR !64 works for me.

  • Comment 11 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    For some reason, MR!66 contains a change which is already in 6.0.x, it's that // phpcs:ignore line. The attached patch had that removed and it should apply cleanly.

  • Comment 11 months ago β†’
    πŸ‡©πŸ‡ͺGermany jurgenhaas Gottmadingen

    Still a slight issue, but now should be ok.

  • First commit to issue fork.
  • Pipeline finished with Success
    8 months ago
    Total: 340s
    #38199
  • Comment 8 months ago β†’
    πŸ‡§πŸ‡¬Bulgaria pfrenssen Sofia

    Cherry-picked commit 0e62f583 into the 6.0.x MR.

  • Pipeline finished with Success
    8 months ago
    Total: 194s
    #38201
  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States grasmash

    The patches in this PR seem to do more than resolve BC issues, they introduce new support for ID tokens and ISS claims. Valuable stuff, but a separate issue?

    >The OpenID Connect token id response needed some treatment as-well.

    I'd love to see those parts merged.

  • Comment 6 months ago β†’
    πŸ‡ΊπŸ‡ΈUnited States grasmash

    @jurgenhaas, @sanduhrs any chance you can tell me how to actually get the id token? /oauth/token only returns the access token.

  • Comment 3 months ago β†’
    πŸ‡§πŸ‡ͺBelgium gorkagr

    Hi!

    if using this module (v5.2.5) for login in a gitlab instance from a D10, I get the following error with the respective MR:

    Could not authenticate you from OpenIDConnect because "Request uri must have schema. possibly add 'http://' to the request uri?".

    Without the patch, i have the error in #1.

    in gitlab I have 2 login providers: oauth2_generic (works fine) and openid_connect (error)

    Config details:

    gitlab_rails['omniauth_providers'] = [
  {
    name: "openid_connect",
    label: "OIC",
    args: {
      name: 'openid_connect',
      scope: ['openid', 'oauth2_access_to_profile_information'],
      response_type: 'code',
      issuer: 'https://oauth.ddev.site',
      discovery: false,
      uid_field: 'preferred_username',
      client_auth_method: 'basic',
      client_options: {
        identifier: 'gitlab',
        secret: 'gitlab',
        redirect_uri: 'https://gitlab.ddev.site/users/auth/openid_connect/callback',
        userinfo_endpoint: "https://oauth.ddev.site/oauth/userinfo",
        authorization_endpoint: "https://oauth.ddev.site/oauth/authorize",
        token_endpoint: "https://oauth.ddev.site/oauth/token"
      }
    }
  },
 {
   name: "oauth2_generic",
   label: "OAUTH",
   app_id: "git",
   app_secret: "git",
   args: {
     client_options: {
       site: "https://oauth.ddev.site",
       user_info_url: "/oauth/v1/userinfo",
       authorize_url: "/oauth/authorize",
       token_url: "/oauth/token"
     },
     user_response_structure: {
       root_path: [],
       id_path: ["sub"],
       attributes: {
         email: "email",
         name: "name"
       }
     },
     authorize_params: {
       scope: "oauth2_access_to_profile_information"
     },
     strategy_class: "OmniAuth::Strategies::OAuth2Generic"
   }
 }
]
  • Status changed to Needs work 3 months ago
  • Comment 3 months ago β†’
    πŸ‡§πŸ‡ͺBelgium gorkagr
  • First commit to issue fork.
  • Pipeline finished with Success
    16 days ago
    #196588
  • Comment 16 days ago β†’
    πŸ‡¨πŸ‡­Switzerland znerol

    Rebased 3257293-registered-claims-6.0.x for 6.0.0-beta6.

contrib.social Blog FAQ Discussions
Production build 0.69.0 2024