Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Boundary 0.2.1 doesn't parse Dex OIDC provider's aud claim #37

Closed
omkensey opened this issue May 17, 2021 · 0 comments · Fixed by #39
Closed

Boundary 0.2.1 doesn't parse Dex OIDC provider's aud claim #37

omkensey opened this issue May 17, 2021 · 0 comments · Fixed by #39

Comments

@omkensey
Copy link

[Note: this issue was seen in Boundary, but is being filed here per conversation with @jimlambrt]

Describe the bug
Boundary cannot unmarshal the aud claim that Dex returns. The output given in the Boundary UI is {"kind":"Internal", "message":"authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: failed to parse claims for UserInfo verification: json: cannot unmarshal string into Go struct field verifyClaims.Aud of type []string"}

To Reproduce
I set up a Dex provider in a Docker container with the following config:

  • Docker run:

docker run -d -v /etc/dex/dex-config.yaml:/etc/dex/config.docker.yaml -p 5556:5556 -p 5558:5558 quay.io/dexidp/dex:latest

  • Dex config in /etc/dex/dex-config.yaml:
issuer: http://[Dex instance public IP]:5556/dex

storage:
  type: memory

web:
  http: 0.0.0.0:5556

telemetry:
  http: 0.0.0.0:5558

grpc:
  addr: 127.0.0.1:5557

logger:
  level: "debug"
  format: "text" # can also be "json"

oauth2:
  responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"

staticClients:
- id: boundary
  name: Boundary
  secret: [client secret]
  redirectUris:
  - [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback

connectors:
- type: google
  id: google
  name: Google public login

enablePasswordDB: true

staticPasswords:
- email: "[email protected]"
  hash: "[bcrypt password hash]"
  username: "jthompson"

Boundary OIDC provider config for Dex:

$ boundary auth-methods read -id amoidc_JZg1tu7M19

Auth Method information:
  Created Time:           Mon, 17 May 2021 02:34:00 EDT
  ID:                     amoidc_JZg1tu7M19
  Is Primary For Scope:   false
  Name:                   Dex
  Type:                   oidc
  Updated Time:           Mon, 17 May 2021 02:36:15 EDT
  Version:                4

  Scope:
    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accountss:
      create
      list

  Attributes:
    api_url_prefix:       [Boundary controller address]
    callback_url:
    [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
    client_id:            boundary
    client_secret_hmac:   kqu9d35RUER7qnleiSUmPMaCB9_YYQK_EIsJ1X-X0s0
    issuer:               http://[Dex instance public IP]:5556/dex
    signing_algorithms:   [RS256]
    state:                active-public

Expected behavior

Boundary OIDC should parse the aud claim received from Dex and authenticate the user.

Desktop (please complete the following information):

  • OS: Fedora 34
  • Browser: Firefox
  • Version: 88
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

handle both []string and string for userinfo aud claim hashicorp/cap
1 participant
@omkensey