PAC4J OIDC Change have broken Azure
49 views
Skip to first unread message
Colin Wilkinson
Aug 9, 2023, 7:52:17 PM8/9/23
to CAS Developer
Hi MIsagh Moayyaed,
I have directly sent this to you and appologies if this has already been raised.
has broken azure that I know of but may have broken others OIDC as well.
The issue is with the addition code in added in the class BaseDelegatedClientFactory particular changes in the method getOidcConfigurationForClient
The changes that have caused the issue is where you add the OidcOpMetadataResolver.
In terms of Azure due to fact the tenantId is not added to after the getOidcConfigurationForClient has finished running, when the OidcOpMetadataResolver tries to get the metadata the tenantid is null.
The discovery uri is not valid as the discovery uri for azure is dyanmic in nature as all calls go to microsoft the only difference is the tenantId is injected into the discovery uri.
This should take you directly to the BaseDelegatedClientFactory Diff from the above commit.
Due to there being many diferent ways to fix this issue for now I have only reported it as I am unsure on how you would want it fixed.
Regards,
Due to there being many diferent ways to fix this issue for now I have only reported it as I am unsure on how you would want it fixed.
Regards,
Colin
Misagh Moayyed
Aug 10, 2023, 1:54:05 PM8/10/23
to CAS Developer, wilc...@gmail.com
On Thursday, August 10, 2023 at 3:52:17 AM UTC+4 wilc...@gmail.com wrote:
Hi MIsagh Moayyaed,
Hello COlin,
I have directly sent this to you and appologies if this has already been raised.
You have sent this message to the CAS Developer mailing list. It is not sent directly to me, though I happen to read messages every once in a while.
has broken azure that I know of but may have broken others OIDC as well.
Please put together and share automated, reproducible repeated test scenarios in isolated environments that demonstrate failures.
Colin Wilkinson
Aug 11, 2023, 1:59:16 AM8/11/23
to Misagh Moayyed, CAS Developer
Hi Misagh,
Sorry about that I meant to say I have addressed this to you.
I am not sure there is any way to easily test this and that is due to the fact that the OidcConfiguration in OidcOpMetadataResolver is not externally accessible.
Sorry about that I meant to say I have addressed this to you.
I am not sure there is any way to easily test this and that is due to the fact that the OidcConfiguration in OidcOpMetadataResolver is not externally accessible.
Regards,
Colin
Pablo Vidaurri
Sep 29, 2023, 3:58:52 AM9/29/23
to CAS Developer, wilc...@gmail.com
Have you worked around this?
Colin Wilkinson
Oct 12, 2023, 3:38:41 AM10/12/23
to CAS Developer, psvid...@gmail.com, Colin Wilkinson
Hi PSVID,
Sorry for the late reply yes I did. Basically you need to recreate the OidcOpMetadataResolver with the updated configuration.
Regards,
Sorry for the late reply yes I did. Basically you need to recreate the OidcOpMetadataResolver with the updated configuration.
if (client instanceof OidcClient oidcClient) {
val opMetadataResolver = new OidcOpMetadataResolver(oidcClient.getConfiguration());
oidcClient.getConfiguration().setOpMetadataResolver(opMetadataResolver);
if (!opMetadataResolver.isInitialized()) {
try {
opMetadataResolver.reinit();
} catch (final Exception e) {
LOGGER.error("The error of [{}] was thrown while loading metadata for [{}]", e.getMessage(), oidcClient.getName(), e);
}
}
}
Regards,
Colin
Reply all
Reply to author
Forward
0 new messages