OIDC An Internal Error Has Occurred
elenezet opened this issue · 2 comments
Hello,
I 'm trying to use misp with CAS OIDC. All seem ok but i have this error :
2023-03-10 13:27:45 Error: [JakubOnderka\JsonException] Could not decode provided JSON
Request URL: /users/login
Stack Trace:
#0 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(210): JakubOnderka\Json::decode()
#1 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(2208): JakubOnderka\CurlResponse->json()
#2 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(890): JakubOnderka\OpenIDConnectClient->endpointRequest()
#3 /var/www/MISP/app/Vendor/jakub-onderka/openid-connect-php/src/OpenIDConnectClient.php(555): JakubOnderka\OpenIDConnectClient->requestAuthorization()
#4 /var/www/MISP/app/Plugin/OidcAuth/Lib/Oidc.php(22): JakubOnderka\OpenIDConnectClient->authenticate()
#5 /var/www/MISP/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php(33): Oidc->authenticate()
#6 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(772): OidcAuthenticate->authenticate()
#7 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Component/AuthComponent.php(612): AuthComponent->identify()
#8 /var/www/MISP/app/Controller/UsersController.php(1211): AuthComponent->login()
#9 [internal function]: UsersController->login()
#10 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Controller/Controller.php(499): ReflectionMethod->invokeArgs()
#11 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(193): Controller->invokeAction()
#12 /var/www/MISP/app/Vendor/cakephp/cakephp/lib/Cake/Routing/Dispatcher.php(167): Dispatcher->_invoke()
#13 /var/www/MISP/app/webroot/index.php(99): Dispatcher->dispatch()
#14 {main}
I try all options but i don't know why there is a problem.
My conf :
misp
nginx for https
oidc
The format is :
{
"sub": "toto@toto.com",
"service": "https://misptux.com/",
"auth_time": 1678438129,
"attributes": {
"email": "toto@toto.com",
"roles": "misp-access",
"userId": "E4883"
},
"id": "toto@arkea.com",
"client_id": "sgp5Ngmy345Aq9grDtkywncgz7Hj9HhYhtKorLMSeQoiSXFw9vUMcxU2kSTjTfYk"
}
I don't understant what's wrong?
I believe the "roles" claim is assumed to be an array, so instead of "roles": "misp-access"
the Oidc plugin only accepts "roles": ["misp-access"]
(I have the same issue with using AWS Cognito which also only supports returning string types in custom claims, so I'm running with a patched plugin to work around this).
Also it could be that the "roles" claim need to be at the top level, i.e not nested within the attributes
block.