Interoperability with OAuth2 Server Library for PHP

Question

Interoperability with OAuth2 Server Library for PHP

tgal opened this issue 5 years ago · 6 comments

When trying to get Vouch to talk to a Symfony app with this PHP library (see https://github.com/bshaffer/oauth2-server-bundle) after successful authentication Vouch aborts with this error message:

INFO    OpenID userinfo body: %!(EXTRA string={"id":"me@myemailprovider.com","name":" "})
ERROR   json: cannot unmarshal string into Go struct field User.id of type int

The email address (me@myemailprovider.com) in the OpenID userinfo body is the primary user id in the Symfony app and I am expecting it in the X-Vouch-User HTTP header.

Any hints what's wrong here?

Answer 1 · 2019-04-07T15:02:30.000Z

Instead of returning a field named 'id', can you get it to return 'email'? May need to put a number in the 'id' field too.

…

On Sun, Apr 7, 2019, 7:45 AM tgal ***@***.***> wrote: When trying to get Vouch to talk to a Symfony app with this PHP library (see https://github.com/bshaffer/oauth2-server-bundle) after successful authentication Vouch aborts with this error message: INFO OpenID userinfo body: %!(EXTRA ***@***.***","name":" "}) ERROR json: cannot unmarshal string into Go struct field User.id of type int The email address ***@***.***) in the OpenID userinfo body is the primary user id in the Symfony app and I am expecting it in the X-Vouch-User HTTP header. Any hints what's wrong here? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#99>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK6140NJwRmJTj3iKepBN8HPOG5l8oks5vegSGgaJpZM4cgzY_> .

Answer 2 · 2019-04-07T16:01:15.000Z

No, unfortunately it is not possible to remove the 'id' field or have it return an integer.

Answer 3 · 2019-04-07T16:41:52.000Z

Unfortunately this aspect of OIDC is not specified. Everyone returns slightly different user information. Even if we turned 'id' from int to string there would be other changes necessary. It would necessitate establishing a new 'oauth.provider' and getting the id copied to 'User.username'. Its probably easier to hack the php library but if you cared to work on a PR I would be happy to support.

…

On Sun, Apr 7, 2019, 9:01 AM tgal ***@***.***> wrote: No, unfortunately it is not possible to remove the 'id' field or have it return an integer. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#99 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK6yZfEVgu8KrfXelsQZ4MMsDrQFUDks5vehZMgaJpZM4cgzY_> .

Answer 4 · 2019-04-07T18:09:11.000Z

Thanks for your reply, after all it was possible to have PHP return the OpenID userinfo as 'email' and now it all works. Thanks for providing this excellent piece of software!

Answer 5 · 2019-04-07T19:00:29.000Z

Oh I'm so glad! Would you be able to provide your config (redacted) for use with the php library and psuedocode for any modification you needed to make to get it to generate the email field? I'd love to link to the thread from the README. Thanks much!

…

On Sun, Apr 7, 2019, 11:09 AM tgal ***@***.***> wrote: Closed #99 <#99>. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#99 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABNK6yj9AfQJd7AN4-DVJBdRc8MeDQABks5vejRmgaJpZM4cgzY_> .

Answer 6 · 2019-04-07T19:14:16.000Z

It was not the PHP library's fault and least of all, Vault's. The PHP app's user_info_url endpoint now simply returns {"email":"me@myemailprovider.com"} instead of formerly {"id":"me@myemailprovider.com"}. It was a change in the way the PHP library was used. Thanks again!