Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

oidcclaimquery: better error handling for casting #3216

Open
MustafaSaber opened this issue Sep 2, 2024 · 3 comments · May be fixed by #3287
Open

oidcclaimquery: better error handling for casting #3216

MustafaSaber opened this issue Sep 2, 2024 · 3 comments · May be fixed by #3287
Labels
bug good first issue

Comments

@MustafaSaber
Copy link
Member

Describe the bug

if oidcclaimsquery get a jwt token that doesn't have sub for any reason it will fail to cast nil to string.

skipper/filters/auth/oidc_introspection.go

Line 134 in 00ff742

sub := token.Claims["sub"].(string)

To Reproduce

use a token without sub

Expected behavior

Better error handling instead of failing without clue what is happening.
@wassafshahzad
Copy link

I would like to pick this up

@AlexanderYastrebov
Copy link
Member

sub claim is optional per https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2

The question is what to use as user id when sub claim is not present.

@wassafshahzad
Copy link

wassafshahzad commented Oct 23, 2024
edited
Loading

sub claim is optional per https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2

The question is what to use as user id when sub claim is not present.

@AlexanderYastrebov
I apologize as I might not be fully aware of the context but do we have any other data that might be suitable in the JWT and if that is not possible we could panic for now and identify the correct key later .
I looked a but deeper there is a UserInfo struct and maybe we can use the username from there

type UserInfo struct {
	Subject       string `json:"sub"`
	Profile       string `json:"profile"`
	Email         string `json:"email"`
	EmailVerified bool   `json:"email_verified"`

	claims []byte
}

@wassafshahzad wassafshahzad linked a pull request Oct 26, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug good first issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Added check to handle token parsing with claims without "sub". wassafshahzad/skipper
3 participants
@AlexanderYastrebov @wassafshahzad @MustafaSaber