Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add compatibility with Apple ID oauth messages #793

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add compatibility with Apple ID oauth messages #793

wants to merge 1 commit into from

Conversation

lfdominguez
Copy link

  • Any changes relevant to users are recorded in the CHANGELOG.md.
  • The documentation has been updated, if necessary.
  • New code is annotated.
  • Changes are covered by tests.

Apple ID returns a boolean as text vs raw boolean. This was detected using SATOSA (https://github.com/IdentityPython/SATOSA) that depends on this library. When is configured to use Apple ID as backend, then the response of apple rise an exception:

[2021-07-19 18:11:26,907] [ERROR] [satosa.proxy_server.__call__] Unknown error
Traceback (most recent call last):
  File "/usr/local/lib/python3.8/site-packages/SATOSA-7.0.1-py3.8.egg/satosa/base.py", line 240, in run
    resp = self._run_bound_endpoint(context, spec)
  File "/usr/local/lib/python3.8/site-packages/SATOSA-7.0.1-py3.8.egg/satosa/base.py", line 180, in _run_bound_endpoint
    return spec(context)
  File "/usr/local/lib/python3.8/site-packages/SATOSA-7.0.1-py3.8.egg/satosa/backends/apple.py", line 207, in response_endpoint
    access_token, id_token_claims = self._get_tokens(authn_resp, context)
  File "/usr/local/lib/python3.8/site-packages/SATOSA-7.0.1-py3.8.egg/satosa/backends/apple.py", line 124, in _get_tokens
    token_resp = self.client.do_access_token_request(scope="openid", state=authn_response["state"],
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oic/__init__.py", line 703, in do_access_token_request
    atr = super().do_access_token_request(
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/__init__.py", line 919, in do_access_token_request
    return self.request_and_return(
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/__init__.py", line 812, in request_and_return
    return self.parse_request_response(resp, response, body_type, state, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/__init__.py", line 753, in parse_request_response
    return self.parse_response(
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/__init__.py", line 675, in parse_response
    verf = resp.verify(**kwargs)
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oic/message.py", line 356, in verify
    self["id_token"] = verify_id_token(self, **kwargs)
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oic/message.py", line 310, in verify_id_token
    idt = IdToken().from_jwt(_jws, **args)
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/message.py", line 692, in from_jwt
    return self.from_dict(jso)
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/message.py", line 344, in from_dict
    self._add_value(
  File "/usr/local/lib/python3.8/site-packages/oic-1.3.0-py3.8.egg/oic/oauth2/message.py", line 386, in _add_value
    raise ParameterError(
oic.oauth2.message.ParameterError: "true", wrong type of value for "email_verified"

where you can see the "true" vs the expected true.

@codecov-commenter
Copy link

codecov-commenter commented Jul 19, 2021
edited
Loading

Codecov Report

Merging #793 (091a460) into master (bd510e4) will decrease coverage by 0.02%.
The diff coverage is 20.00%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master     #793      +/-   ##
==========================================
- Coverage   63.68%   63.66%   -0.03%     
==========================================
  Files          64       64              
  Lines       11846    11850       +4     
  Branches     2096     2098       +2     
==========================================
  Hits         7544     7544              
- Misses       3705     3707       +2     
- Partials      597      599       +2
Impacted Files Coverage Δ
src/oic/oauth2/message.py 73.30% <20.00%> (-0.42%) ⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update bd510e4...091a460. Read the comment docs.

@schlenk
Copy link
Collaborator

schlenk commented Jul 19, 2021

Apple violates the spec, the key is clearly defined as a JSON boolean, not text.
(https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).

@lfdominguez
Copy link
Author

Apple violates the spec, the key is clearly defined as a JSON boolean, not text.
(https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims).

Yes i see that, but why not support this? I'm agree with you of course... but the thing is try to support all if that don't break something and allow to expand the use of pyoidc even to the wrong apple SPEC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lfdominguez @codecov-commenter @schlenk