Boundary 0.2.1 doesn't parse Dex OIDC provider's `aud` claim

Question

Boundary 0.2.1 doesn't parse Dex OIDC provider's `aud` claim

omkensey opened this issue 3 years ago · 0 comments

[Note: this issue was seen in Boundary, but is being filed here per conversation with @jimlambrt]

Describe the bug
Boundary cannot unmarshal the aud claim that Dex returns. The output given in the Boundary UI is {"kind":"Internal", "message":"authmethod_service.(Service).authenticateOidcCallback: Callback validation failed.: parameter violation: error #100: oidc.Callback: unable to get user info from provider: unknown: error #0: Provider.UserInfo: failed to parse claims for UserInfo verification: json: cannot unmarshal string into Go struct field verifyClaims.Aud of type []string"}

To Reproduce
I set up a Dex provider in a Docker container with the following config:

Docker run:

docker run -d -v /etc/dex/dex-config.yaml:/etc/dex/config.docker.yaml -p 5556:5556 -p 5558:5558 quay.io/dexidp/dex:latest

Dex config in /etc/dex/dex-config.yaml:

issuer: http://[Dex instance public IP]:5556/dex

storage:
  type: memory

web:
  http: 0.0.0.0:5556

telemetry:
  http: 0.0.0.0:5558

grpc:
  addr: 127.0.0.1:5557

logger:
  level: "debug"
  format: "text" # can also be "json"

oauth2:
  responseTypes: [ "code", "token", "id_token" ] # also allowed are "token" and "id_token"

staticClients:
- id: boundary
  name: Boundary
  secret: [client secret]
  redirectUris:
  - [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback

connectors:
- type: google
  id: google
  name: Google public login

enablePasswordDB: true

staticPasswords:
- email: "jthompson@hashicorp.com"
  hash: "[bcrypt password hash]"
  username: "jthompson"

Boundary OIDC provider config for Dex:

$ boundary auth-methods read -id amoidc_JZg1tu7M19

Auth Method information:
  Created Time:           Mon, 17 May 2021 02:34:00 EDT
  ID:                     amoidc_JZg1tu7M19
  Is Primary For Scope:   false
  Name:                   Dex
  Type:                   oidc
  Updated Time:           Mon, 17 May 2021 02:36:15 EDT
  Version:                4

  Scope:
    ID:                   global
    Name:                 global
    Type:                 global

  Authorized Actions:
    no-op
    read
    update
    delete
    change-state
    authenticate

  Authorized Actions on Auth Method's Collections:
    accountss:
      create
      list

  Attributes:
    api_url_prefix:       [Boundary controller address]
    callback_url:
    [Boundary controller address]/v1/auth-methods/oidc:authenticate:callback
    client_id:            boundary
    client_secret_hmac:   kqu9d35RUER7qnleiSUmPMaCB9_YYQK_EIsJ1X-X0s0
    issuer:               http://[Dex instance public IP]:5556/dex
    signing_algorithms:   [RS256]
    state:                active-public

Expected behavior

Boundary OIDC should parse the aud claim received from Dex and authenticate the user.

Desktop (please complete the following information):

OS: Fedora 34
Browser: Firefox
Version: 88