Boundary 0.2.1 doesn't parse Dex OIDC provider's `aud` claim
omkensey opened this issue · 0 comments
[Note: this issue was seen in Boundary, but is being filed here per conversation with @jimlambrt]
Describe the bug
Boundary cannot unmarshal the aud
claim that Dex returns. The output given in the Boundary UI is {"kind":"Internal", "message":"authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: failed to parse claims for UserInfo verification: json: cannot unmarshal string into Go struct field verifyClaims.Aud of type []string"}
To Reproduce
I set up a Dex provider in a Docker container with the following config:
- Docker run:
docker run -d -v /etc/dex/dex-config.yaml:/etc/dex/config.docker.yaml -p 5556:5556 -p 5558:5558 quay.io/dexidp/dex:latest
- Dex config in /etc/dex/dex-config.yaml:
issuer: http://[Dex instance public IP]:5556/dex
storage:
type: memory
web:
http: 0.0.0.0:5556
telemetry:
http: 0.0.0.0:5558
grpc:
addr: 127.0.0.1:5557
logger:
level: "debug"
format: "text" # can also be "json"
oauth2:
responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"
staticClients:
- id: boundary
name: Boundary
secret: [client secret]
redirectUris:
- [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
connectors:
- type: google
id: google
name: Google public login
enablePasswordDB: true
staticPasswords:
- email: "jthompson@hashicorp.com"
hash: "[bcrypt password hash]"
username: "jthompson"
Boundary OIDC provider config for Dex:
$ boundary auth-methods read -id amoidc_JZg1tu7M19
Auth Method information:
Created Time: Mon, 17 May 2021 02:34:00 EDT
ID: amoidc_JZg1tu7M19
Is Primary For Scope: false
Name: Dex
Type: oidc
Updated Time: Mon, 17 May 2021 02:36:15 EDT
Version: 4
Scope:
ID: global
Name: global
Type: global
Authorized Actions:
no-op
read
update
delete
change-state
authenticate
Authorized Actions on Auth Method's Collections:
accountss:
create
list
Attributes:
api_url_prefix: [Boundary controller address]
callback_url:
[Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
client_id: boundary
client_secret_hmac: kqu9d35RUER7qnleiSUmPMaCB9_YYQK_EIsJ1X-X0s0
issuer: http://[Dex instance public IP]:5556/dex
signing_algorithms: [RS256]
state: active-public
Expected behavior
Boundary OIDC should parse the aud
claim received from Dex and authenticate the user.
Desktop (please complete the following information):
- OS: Fedora 34
- Browser: Firefox
- Version: 88