Dont work with casdoor.

Question

Dont work with casdoor.

rimm74rus opened this issue 4 months ago · 8 comments

The cardoor tocken is being created and everything seems to be fine.
docke env
SSO_ONLY=true
SSO_AUTHORITY=https://sso.example.ru
SSO_PKCE=true
SSO_SCOPES=openid profile offline_access
SSO_CLIENT_ID=key_id
SSO_CLIENT_SECRET=key_secred
SSO_ENABLED=true
SSO_SIGNUPS_MATCH_EMAIL=true
SSO_AUTHORIZE_EXTRA_PARAMS=maybe something needs to be prescribed here?
SSO_FRONTEND=override

[2024-06-08 23:54:06.579][request][INFO] GET /identity/sso/prevalidate?domainHint=VaultWarden
[2024-06-08 23:54:06.581][response][INFO] (prevalidate) GET /identity/sso/prevalidate => 200 OK
[2024-06-08 23:54:06.607][request][INFO] GET /identity/connect/authorize?client_id=web&redirect_uri=htt
[2024-06-08 23:54:06.658][reqwest::connect][DEBUG] starting new connection: https://sso.example.ru/
[2024-06-08 23:54:06.727][reqwest::connect][DEBUG] starting new connection: https://sso.example.ru/
[WARNING] Failed to parse (https://sso.example.ru/login/oauth/authorize?). Expected key=value
[2024-06-08 23:54:06.739][response][INFO] (authorize) GET /identity/connect/authorize?<data..> => 307 Temporary Redirect
[2024-06-08 23:54:07.010][request][INFO] GET /identity/connect/oidc-signin?code=d6a6ff3af43cf73b75a3&stat
[2024-06-08 23:54:07.015][vaultwarden::api::identity][DEBUG] Redirection to https://vw.example.ru/sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE3MTc4NzMxNDcsImlzcyI6Imh0dHBzOi8vdncubWduLWRvbWV4cGVydC5ydXxzc28iLCJjb2RlIjp7Ik9rIjp7ImNvZGUiOiJkNmE2ZmYzYWY0M2NmNzNiNzVhMyIsInN0YXRlIjoiUzZMTTJaaHNZb0p5Mnk0NER2M1JaUGlpZUJzelc4RmNSR2FHNGpvanREOVNoUU5hQmlxam91NYUJFdG9VSGNqSF9pZGVudGlmaWVyPXVuZGVmaW5lZCJ9fX0.do5JPWP-nlzeutJN6YT3UCV8u12kD8Q6KYyNAHB123DxANUvcBj-NMcIQBSmddadaiYXZfwxN63kGPoM8s7Bbt-nhLGsVR2uTLZy8m1cphJvjgUX55Avyc7UrJLIXTBX38rNRkFXlsxRu4E_2rgq8UFbfrMfuCxwMsXQWrMamIV_G-5zF-LTnSwRzJ_1hnLGp7OjPRQEm1iuIztPLh9qCqN53ctxVRH6Ybi2_vObvGHfK6akz8P106VJqt5xu7ex3uHYcNj_UKkYRE5Ui_4uPFGAtfwKjRtm_0u9KljfLkjmxmejrYlHIUfXmZ15BRfoN9Ma0SG-ydmciUEGPVsaCdLIERHFTw&state=S6LM2ZhsYoJy2y44Dv3RZPiieBszW8FcRGaG4jojtD9ShQNaBiqjoMaBEtoUHcjH_identifier%3Dundefined&scope=api+offline_access&iss=https%3A%2F%2Fvw.example.ru
[2024-06-08 23:54:07.015][response][INFO] (oidcsignin) GET /identity/connect/oidc-signin?& => 307 Temporary Redirect [2024-06-08 23:54:07.039][request][INFO] GET /sso-connector.html?code=eyJ0eXAiOiJKV1QiLCJhbGciO [2024-06-08 23:54:07.040][response][INFO] (web_files) GET /<p..> [10] => 200 OK [2024-06-08 23:54:07.249][request][INFO] POST /identity/connect/token [2024-06-08 23:54:07.293][reqwest::connect][DEBUG] starting new connection: https://sso.example.ru/ [2024-06-08 23:54:07.362][reqwest::connect][DEBUG] starting new connection: https://sso.example.ru/ [2024-06-08 23:54:07.419][reqwest::connect][DEBUG] starting new connection: https://sso.example.ru/ [2024-06-08 23:54:07.433][vaultwarden::sso][ERROR] Failed to contact token endpoint: Failed to parse server response

Answer 1 · 2024-06-08T23:22:51.000Z

Hey

Hey just tested and reproduced the problem.
The issue appear to be that Casdoor sends back an invalid address claim in the id_token.

When empty it sends back an empty array instead of a json object as defined in the spec.

This fails in the openidconnect lib so I can´t do much and since it's does not match the spec I doubt the author would change it.

Your best bet is to find a way to remove the field since it's optional.

Answer 2 · 2024-06-08T23:32:08.000Z

~~A casdoor issue mention the problem and a potential fix to reduce the number of fields sent :~~
~~jkroepke/openvpn-auth-oauth2#87 (comment)~~

Edit: The issue with checking late at night :D, when following the issue casdoor/casdoor#1184 I missed that the mentioned fix was done in a separate project and not Casdoor.

Answer 3 · 2024-06-09T06:53:00.000Z

@Timshel hi, I'm from Casdoor team. Can you guys make a PR to fix it?

Answer 4 · 2024-06-09T08:35:37.000Z

@hsluoyz Hey, I'm not using Casdoor and I'm not familiar with it's code base so I have no plan to contribute at the moment.

Answer 5 · 2024-06-25T05:22:05.000Z

Hi @rimm74rus @Timshel we has fixed this issue in PR: casdoor/casdoor#3013

Upgrade Casdoor to 1.632.0 and later to try it

Answer 6 · 2024-06-27T18:53:39.000Z

Tested version 1.632.0 and it was not working and the change appears to have been reverted in the following release.

Answer 7 · 2024-08-30T21:52:34.000Z

As this Bug was probably fixed in https://github.com/casdoor/casdoor/releases/tag/v1.639.0 it would be nice if you could try to reproduce, if the error still exists, because then this issue could be closed @Timshel

Answer 8 · 2024-09-02T12:35:44.000Z

It appears to work but managed to stumble on a non-blocking issue casdoor/casdoor#3162 😅