When updating from 6.0.1 to 6.1.0 the library is not being able to extract the ID_TOKEN

[lu...@torre.co]

Hi!

We are getting problems after updating to the 6.1.0 version. We were using the 6.0.1 version of https://github.com/pac4j/play-pac4j with the following discoveryURI: https://accounts.torre.co/openid/.well-known/openid-configuration

{"authorization_endpoint": "https://accounts.torre.co/openid/authorize","issuer": "https://accounts.torre.co/openid","token_endpoint_auth_methods_supported": ["client_secret_post",

"client_secret_basic"],"subject_types_supported": ["public"],"end_session_endpoint": "https://accounts.torre.co/openid/end-session","userinfo_endpoint": "https://accounts.torre.co/openid/userinfo","frontchannel_logout_supported": true,"jwks_uri": "https://accounts.torre.co/openid/jwks","token_endpoint": "https://accounts.torre.co/openid/token","id_token_signing_alg_values_supported": ["HS256","RS256"],"response_types_supported": ["code","id_token","id_token token","code token","code id_token","code id_token token"],"frontchannel_logout_session_supported": true}

Our application is using CentralLogout and with that version everything seems to work as expected. However, as soon as we updated the library to the 6.1.0 version, we started to getting a NullPointerException in JWTParser.java at line 58. It seems that the library is not being able to extract the token as it used to do. In specific, the getIdTokenString method in OidcProfile.java is returning null. If you need it, you can see the stack trace here: https://photos.app.goo.gl/nWhCWBPgaGUM1pNL9

You have any idea of why this is happening? Or it comes to your mind any workaround that we could use to solve it for now?

In advance, thank you very much! If you need more info in order to understand better the problem, don't hesitate to contact me.

[Jérôme LELEU]

Hi,

It's very strange as pac4j has only moved from version 3.0.0 to version 3.3.0 between play-pac4j v6.0.1 and v6.1.0.

And there is almost no change regarding the OIDC support.

Thanks.

Best regards,

Jérôme

--
You received this message because you are subscribed to the Google Groups "Pac4j users mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to pac4j-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rebecca]

Hmm, I'm seeing this same error. I was fine with the default PlayCacheSessionStore, but my app is deployed across multiple nodes, so I am trying to switch over to the PlayCookieSessionStore (configured identically to https://github.com/pac4j/play-pac4j-scala-demo/blob/master/app/modules/SecurityModule.scala#L40, doing this per ), I am suddenly seeing the same stack trace.

For reference, the new dependencies I am pulling in for this project are play-pac4j 6.1.0, pac4j-oidc 3.4.0, commons-io 2.5 and shiro-core 1.4.0

[Rebecca]

Edit: tried updating to play-pac4j 7.0.0, pac4j-oidc 3.5.0 and still seeing the same thing - my initial redirect to the oidc provider works, and then JWTParser.parse throws a null pointer.

Were you ever able to figure out what triggered this?

Thanks!

[Jérôme LELEU]

Hi,

If you use the PlayCookieSessionStore instead of the PlayCacheSessionStore, the profile is "cleaned" to be as small as possible: for OpenID Connect, the ID token is removed: https://github.com/pac4j/pac4j/blob/master/pac4j-oidc/src/main/java/org/pac4j/oidc/profile/OidcProfile.java#L136

This is the reason.

Thanks.

Best regards,

Jérôme

[Rebecca Star]

I see. So then how do I set it up to both use the cookie store and openID connect? I’m not explicitly calling anything to extract this token, it seems to be just be happening automatically within my Secure routes. Asked another way, other than changing the session store, what other updates would I have to make to my client (or routes) so that my previously functioning oidc flow is not suddenly throwing exceptions?

Sorry if this is a basic question, I’m pretty new to this stuff :D

[Rebecca]

Edit: figured out at least part of it. Before i was explicitly binding with:

val oidcClient: OidcClient[OidcProfile, OidcConfiguration] = ...

val clients = new Clients(baseUrl + "/callback", oidcClient)

val config = new Config(clients)

config.setHttpActionAdapter(new PlayHttpActionAdapter())

bind(classOf[Config]).toInstance(config)

When i switched to providing oidcClient and config within separate methods tagged @Provides, it seems to be getting past this point (must be injecting some other dependencies that arent pulled in my old code (?). Now I'm past the null's at least, though have moved onto infinite auth loops, so not quite out of the weeds yet. Any suggestions on that? I get through callback, and my oidcprofile is successfully generated, and then it's right back to the DefaultSecurityLogic until the browser finally gives up on too many redirects.

[Jérôme LELEU]

Hi,

Currently, it doesn't work. I'm not sure about the right solution: maybe we should keep the ID token or allow the PlayCookieSessionStore not to clear sensitive data.

I opened not to forget about it: https://github.com/pac4j/play-pac4j/issues/258

Thanks.

Best regards,

Jérôme

[Jérôme LELEU]

Hi,

It feels like the user profile is never saved into the session. You should turn on DEBUG logs on org.pac4j.

Thanks.

Best regards,

Jérôme

--

[Rebecca Star]

I seem to have gotten it by avoiding the play helper - see

https://github.com/pac4j/play-pac4j/issues/257. I believe it’s now working, though haven’t texted in a real environment yet.

[Rebecca]

Scratch that, definitely not working, that play helper issue is just one part of it.

I do see a number of errors with "org.pac4j.core.engine.DefaultCallbackLogic - Unable to renew the session. The session store may not support this feature". Additionally, I get null pointers on both logout and with setExpireSessionWithToken enabled, though I suspect as you indicate that those are related to the id_token being cleared.

Do you have some estimate of a timeframe for when you would be able to get this working? I can certainly open a PR to remove the line `removeAttribute(OidcProfileDefinition.ID_TOKEN);` from OidcProfile.clearSensitiveData, though seems like there may be more to it than that. I'd like to stick with using pac4j for this as I'm this far into it, but I have a work deadline to get this working on my side, so trying to figure out if I should go with an alternate implementation in the meantime.

Thanks again for your help!

[Jérôme LELEU]

Hi,

The PlayCookieSessionStore cannot be renewed: it's not an issue, it's by design. Data are stored in the PLAY_SESSION cookie with a known key, this cannot be changed when an authentication occurs.

Indeed, I guess that the null pointers come from the ID_Token removal.

Reviewing the source code once more, I see that the attributes of the ID_Token are copy/pasted as attributes in the profile so removing the ID_Token is fairly useless.

I made the changes. Can you test again with the version 3.6.0-SNAPsHOT ?

A release is planned before the end of February because of the Google API deprecation.

Thanks.

Best regards,

Jérôme

 

--