Hi there,
I’m currently testing out Kratos’ generic OIDC provider integration, but am getting stuck parsing the token payload with a confusing error:
The request was malformed or contained invalid parameters reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64
My OIDC provider (auth0) logs a successful code exchange so I believe this is occuring when trying to parse the token payloads that come back. It’s also worth noting that the provider struct seems to expect an int64, but Auth0’s updated_at field is a timestamp (e.g. 2020-07-23T19:45:32.614Z), but I still find this confusing because I haven’t asserted any mappings of the updated_at field in my jsonnet mapping file. Can anyone shed any light on why this might be happening?
Kratos Version: v0.4.6-alpha.1
Note: I also experienced the issue on v0.3, and upgrading didn’t seem to solve the problem.
Thanks in advance!
Kratos config
hashers:
argon2:
parallelism: 1
memory: 131072
iterations: 2
salt_length: 16
key_length: 16
identity:
default_schema_url: file:///etc/config/kratos/identity.schema.json
selfservice:
flows:
settings:
privileged_session_max_age: 1m
after:
profile:
hooks:
- hook: verify
login:
request_lifespan: 10m
verification:
enabled: true
registration:
request_lifespan: 10m
after:
password:
hooks:
- hook: session
oidc:
hooks:
- hook: session
strategies:
password:
enabled: true
oidc:
enabled: true
config:
providers:
- id: auth0
provider: generic
mapper_url: file:///etc/config/kratos/auth0.mapper.jsonnet
client_id: <redacted>
client_secret: <redacted>
scope:
- email
- profile
- openid
issuer_url: https://<auth0-domain>/
auth_url: https://<auth0-domain>/authorize
token_url: https://<auth0-domain>/oauth/token
Identity schema
{
"$id": "https://architect.io/v1/identity.schema.json",
"$schema": "http://json-schema.org/draft-07/schema#",
"title": "User",
"type": "object",
"properties": {
"email": {
"type": "string",
"format": "email",
"title": "E-Mail",
"minLength": 3,
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
},
"verification": {
"via": "email"
}
}
},
"username": {
"type": "string",
"title": "Username",
"ory.sh/kratos": {
"credentials": {
"password": {
"identifier": true
}
}
}
}
},
"required": ["email", "username"],
"additionalProperties": false
}
Auth0 jsonnet mapper
local claims = std.extVar('claims');
{
identity: {
traits: {
email: claims.email,
username: claims.username,
},
},
}
Logs
time=2020-07-23T19:45:30Z level=info msg=started handling request method=POST name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/auth/877190ea-925a-4f63-9aba-80336b8e3c49
time=2020-07-23T19:45:32Z level=info msg=completed handling request method=POST name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/auth/877190ea-925a-4f63-9aba-80336b8e3c49 status=302 text_status=Found took=1.6935514s
time=2020-07-23T19:45:32Z level=info msg=started handling request method=GET name=public#http://auth.localhost:80/.kratos/ remote=172.19.0.1 request=/self-service/browser/flows/strategies/oidc/callback/auth0?code=LlhoyghUnz1f1aiB&state=c385f9c7-0282-4b96-84f8-8b25eb3d5f55
time=2020-07-23T19:45:33Z level=info msg=Encountered self-service request error. audience=audit error=map[debug: message:The request was malformed or contained invalid parameters reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64 status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-US,en;q=0.9 cache-control:max-age=0 cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". referer:http://auth.localhost/registration?request=877190ea-925a-4f63-9aba-80336b8e3c49 user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.89 Safari/537.36 x-forwarded-for:172.19.0.1 x-forwarded-proto:http] host:david.ory-oauth-server.kratos.latest:4433 method:GET path:/self-service/browser/flows/strategies/oidc/callback/auth0 query:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". remote:172.19.0.8:42644 scheme:http] registration_request=&{877190ea-925a-4f63-9aba-80336b8e3c49 2020-07-23 19:55:25.433198 +0000 UTC 2020-07-23 19:45:25.433216 +0000 UTC http://david.ory-oauth-server.kratos.latest:4433/self-service/browser/flows/registration [] map[oidc:0xc00046f5e0 password:0xc00046f570] [] 2020-07-23 19:45:25.434723 +0000 UTC 2020-07-23 19:45:25.434751 +0000 UTC OKnzNKgrkFuWStPENHm3GQtJOsfEVx5hZ4WuqLw/5WLJeINeDj4eubSKSEU/KQtvktkL6QAwEiFp6+DFv0xVQA==} service_name=ORY Kratos service_version=v0.4.6-alpha.1