Project

General

Profile

Actions
Copy link

Bug #13553

open

Relax type check of claim "email_verified" in parseClaims in OidcProcess::handleResponse

Added by Stephan Kaiser about 2 months ago. Updated 10 days ago.

Status:
Review
Priority:
Normal
Assignee:
-
Target version:
4.12.0
Start date:
02/20/2025
Due date:
% Done:

0%

Estimated time:

Description

LinkedIn implemented their OIDC service to return the email_verified claim as a string value "true".

When OidcProcess::handleResponse receives and processes such a token where the claim email_verified is not stored as a boolean value true but instead as a string value "true" (or "false"), a TypeError exception is generated and the token processing is aborted.

There are two possible issues:

1: The authenticated signal is never triggered. I guess, that this is not the intention but I'm not too well versed in the internals of OidcService to be sure. At the moment, this might leave the process object alive.

2: I think, the TypeError exception could be avoided by changing this line:

bool emailVerified = claims.get("email_verified").orIfNull(false);

into:

bool emailVerified = claims.get("email_verified").toBool().orIfNull(false);

Json::Value::toBool() seems to safely attempt a conversion to a string value and checks for "true" and "false".

At the moment, I see no solution other than patching my Wt sources.

Files

20250301-oauth-unverified_email-relaxed-bool.patch (693 Bytes) 20250301-oauth-unverified_email-relaxed-bool.patch Stephan Kaiser, 03/01/2025 09:32 PM
Actions
Copy link
 #1

Updated by Stephan Kaiser about 2 months ago

I attached the rather small patch. :)
Works fine for these non-standard OAuth implementations (tested with LinkedIn) as well as standard-compliant ones (tested with Microsoft Entra).

Actions
Copy link
 #2

Updated by Matthias Van Ceulebroeck about 1 month ago ยท Edited

  • Status changed from New to InProgress
  • Assignee set to Matthias Van Ceulebroeck
  • Target version set to 4.11.4

Hello Stephen,

you are absolutely right, this orIfNull detects a value is present, and tries to return that as a bool. The cast lead to the TypeException.
I have scheduled this to be fixed in the immediate upcoming version, as it is a very small change. You'll of course get credit for finding and patching the bug ;)

Thank you!

Best,
Matthias

Actions
Copy link
 #3

Updated by Matthias Van Ceulebroeck about 1 month ago

  • Status changed from InProgress to Review
  • Assignee deleted (Matthias Van Ceulebroeck)
Actions
Copy link
 #4

Updated by Matthias Van Ceulebroeck 10 days ago

  • Target version changed from 4.11.4 to 4.12.0
Actions
Copy link

Also available in: Atom PDF