Skip to content

OidcIdToken cannot be serialized to JSON if token contains claim of type JSONObject #12360

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
habelson opened this issue Dec 9, 2022 · 2 comments
Closed

OidcIdToken cannot be serialized to JSON if token contains claim of type JSONObject #12360

habelson opened this issue Dec 9, 2022 · 2 comments
Assignees
@jgrandja
Labels
for: stackoverflow A question that's better suited to stackoverflow.com

Comments

@habelson
Copy link

habelson commented Dec 9, 2022

Describe the bug
If an IdP sends an ID token with claim may_act, the Jackson ObjectMapper with SecurityJackson2Modules cannot serialize the ID token to JSON (related: #9210).
The may_act claim in the ID token has the type com.nimbusds.jose.shaded.json.JSONObject for which there is no default mixin.

Tested with Spring-Security 5.7.5
.
To Reproduce
These steps resemble a normal oauth2Login configuration where additionally the ID token is serialized to JSON.

Include a may_act claim in the ID token
Decode the string token value using an JwtDecoder created by OidcIdTokenDecoderFactory to a Jwt.
Create anOidcIdToken from the Jwt.
Serialize the OidcIdToken to a JSON string using an ObjectMapper with the SecurityJackson2Modules.

Expected behavior
It is unclear what the expected behavior should be. I'm not sure what effect, if any the may_act claim should have in spring. However, the current behavior is to silently fail with a 500 Internal Server Error.

Note

This issue is very close to being identical to #9210, however, unlike the claims mentioned in that issue, there is no handling for the may_act claim in the OidcIdTokenDecoderFactory
@habelson habelson added status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 9, 2022
@fstorz
Copy link

fstorz commented Dec 13, 2022

hi @habelson,

maybe the solution for you might be to switch to spring-security 5.8 or higher. A dependent library (com.nimbusds:nimbus-jose-jwt) which is responsible for parsing the token content was updated. Internally they updated the json parser which might lead to changed results.

@jgrandja
Copy link
Contributor

@habelson Thanks for getting in touch, but it feels like this is a question that would be better suited to Stack Overflow. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add a minimal sample that reproduces this issue if you feel this is a genuine bug.

The may_act claim in the ID token has the type com.nimbusds.jose.shaded.json.JSONObject for which there is no default mixin.

The may_act claim is a custom claim so you will need to provide a custom Converter. You can supply the OidcIdTokenDecoderFactory.setClaimTypeConverterFactory() with a custom factory that includes the custom Converter for may_act claim in addition to the default Converter's via OidcIdTokenDecoderFactory.createDefaultClaimTypeConverters().

@jgrandja jgrandja self-assigned this Dec 13, 2022
@jgrandja jgrandja added for: stackoverflow A question that's better suited to stackoverflow.com and removed status: waiting-for-triage An issue we've not yet triaged type: bug A general bug labels Dec 13, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jgrandja jgrandja

Labels
for: stackoverflow A question that's better suited to stackoverflow.com
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jgrandja @habelson @fstorz