Bug #13553
openRelax type check of claim "email_verified" in parseClaims in OidcProcess::handleResponse
0%
Description
LinkedIn implemented their OIDC service to return the email_verified claim as a string value "true".
When OidcProcess::handleResponse receives and processes such a token where the claim email_verified is not stored as a boolean value true but instead as a string value "true" (or "false"), a TypeError exception is generated and the token processing is aborted.
There are two possible issues:
1: The authenticated signal is never triggered. I guess, that this is not the intention but I'm not too well versed in the internals of OidcService to be sure. At the moment, this might leave the process object alive.
2: I think, the TypeError exception could be avoided by changing this line:
bool emailVerified = claims.get("email_verified").orIfNull(false);
into:
bool emailVerified = claims.get("email_verified").toBool().orIfNull(false);
Json::Value::toBool() seems to safely attempt a conversion to a string value and checks for "true" and "false".
At the moment, I see no solution other than patching my Wt sources.
Files
Updated by Stephan Kaiser 27 days ago
- File 20250301-oauth-unverified_email-relaxed-bool.patch 20250301-oauth-unverified_email-relaxed-bool.patch added
I attached the rather small patch. :)
Works fine for these non-standard OAuth implementations (tested with LinkedIn) as well as standard-compliant ones (tested with Microsoft Entra).
Updated by Matthias Van Ceulebroeck 24 days ago ยท Edited
- Status changed from New to InProgress
- Assignee set to Matthias Van Ceulebroeck
- Target version set to 4.11.4
Hello Stephen,
you are absolutely right, this orIfNull detects a value is present, and tries to return that as a bool. The cast lead to the TypeException.
I have scheduled this to be fixed in the immediate upcoming version, as it is a very small change. You'll of course get credit for finding and patching the bug ;)
Thank you!
Best,
Matthias
Updated by Matthias Van Ceulebroeck 24 days ago
- Status changed from InProgress to Review
- Assignee deleted (
Matthias Van Ceulebroeck)