Failed to unmarshal updated_at for generic OIDC provider (Auth0)

Hi there,

I’m currently testing out Kratos’ generic OIDC provider integration, but am getting stuck parsing the token payload with a confusing error:

The request was malformed or contained invalid parameters reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64

My OIDC provider (auth0) logs a successful code exchange so I believe this is occuring when trying to parse the token payloads that come back. It’s also worth noting that the provider struct seems to expect an int64, but Auth0’s updated_at field is a timestamp (e.g. 2020-07-23T19:45:32.614Z), but I still find this confusing because I haven’t asserted any mappings of the updated_at field in my jsonnet mapping file. Can anyone shed any light on why this might be happening?

Kratos Version: v0.4.6-alpha.1

Note: I also experienced the issue on v0.3, and upgrading didn’t seem to solve the problem.

Thanks in advance!

Kratos config

hashers:
  argon2:
    parallelism: 1
    memory: 131072
    iterations: 2
    salt_length: 16
    key_length: 16

identity:
  default_schema_url: file:///etc/config/kratos/identity.schema.json

selfservice:
  flows:
    settings:
      privileged_session_max_age: 1m
      after:
        profile:
          hooks:
            - hook: verify

    login:
      request_lifespan: 10m

    verification:
      enabled: true

    registration:
      request_lifespan: 10m
      after:
        password:
          hooks:
            - hook: session
        oidc:
          hooks:
            - hook: session

  strategies:
    password:
      enabled: true
    oidc:
      enabled: true
      config:
        providers:
          - id: auth0
            provider: generic
            mapper_url: file:///etc/config/kratos/auth0.mapper.jsonnet
            client_id: <redacted>
            client_secret: <redacted>
            scope:
              - email
              - profile
              - openid
            issuer_url: https://<auth0-domain>/
            auth_url: https://<auth0-domain>/authorize
            token_url: https://<auth0-domain>/oauth/token

Identity schema

{
  "$id": "https://architect.io/v1/identity.schema.json",
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "User",
  "type": "object",
  "properties": {
    "email": {
      "type": "string",
      "format": "email",
      "title": "E-Mail",
      "minLength": 3,
      "ory.sh/kratos": {
        "credentials": {
          "password": {
            "identifier": true
          }
        },
        "verification": {
          "via": "email"
        }
      }
    },
    "username": {
      "type": "string",
      "title": "Username",
      "ory.sh/kratos": {
        "credentials": {
          "password": {
            "identifier": true
          }
        }
      }
    }
  },
  "required": ["email", "username"],
  "additionalProperties": false
}

Auth0 jsonnet mapper

local claims = std.extVar('claims');

{
  identity: {
    traits: {
      email: claims.email,
      username: claims.username,
    },
  },
}

Logs

time=2020-07-23T19:45:30Z level=info msg=started handling request method=POST name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/auth/877190ea-925a-4f63-9aba-80336b8e3c49
time=2020-07-23T19:45:32Z level=info msg=completed handling request method=POST name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/auth/877190ea-925a-4f63-9aba-80336b8e3c49 status=302 text_status=Found took=1.6935514s
time=2020-07-23T19:45:32Z level=info msg=started handling request method=GET name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/callback/auth0?code=LlhoyghUnz1f1aiB&state=c385f9c7-0282-4b96-84f8-8b25eb3d5f55
time=2020-07-23T19:45:33Z level=info msg=Encountered self-service request error. audience=audit error=map[debug: message:The request was malformed or contained invalid parameters reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64 status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 cache-control:max-age=0 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". referer:http://auth.localhost/registration?request=877190ea-925a-4f63-9aba-80336b8e3c49 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 x-forwarded-for:172.19.0.1 x-forwarded-proto:http] host:david.ory-oauth-server.kratos.latest:4433 method:GET path:/self-service/browser/flows/strategies/oidc/callback/auth0 query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.19.0.8:42644 scheme:http] registration_request=&{877190ea-925a-4f63-9aba-80336b8e3c49 2020-07-23 19:55:25.433198 +0000 UTC 2020-07-23 19:45:25.433216 +0000 UTC http://david.ory-oauth-server.kratos.latest:4433/self-service/browser/flows/registration  [] map[oidc:0xc00046f5e0 password:0xc00046f570] [] 2020-07-23 19:45:25.434723 +0000 UTC 2020-07-23 19:45:25.434751 +0000 UTC OKnzNKgrkFuWStPENHm3GQtJOsfEVx5hZ4WuqLw/5WLJeINeDj4eubSKSEU/KQtvktkL6QAwEiFp6+DFv0xVQA==} service_name=ORY Kratos service_version=v0.4.6-alpha.1
2 Likes

Sorry about the late reply! It looks like we probably shouldn’t enforce any typing in the claims except for username. I’ve created an issue based on your post in kratos: https://github.com/ory/kratos/issues/609