php-openid-connect-client icon indicating copy to clipboard operation
php-openid-connect-client copied to clipboard

Published 20 hours ago verified publisher icon ivan-novakov

Issue interoperating with Keycloak

Open Darkeye9 opened this issue 6 years ago • 1 comments

I am debugging this plugin through a Tuleap (https://www.tuleap.org) installation. But I think the problem is isolated to this plugin code.

I have the following Keycloak Token Response JSON Body:

JavaScript Object Notation: application/json
    Object
        Member Key: access_token
            String value [truncated]: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjd2g4bGx3N1hLMmdES29YOGpKc3laVnpuUWdEM09SV1VYZmwtS3VxazA4In0.eyJqdGkiOiI3MjY3OTMzOS05Y2Q0LTQ0ZGYtODQ4NS02M2E1NTFhZWQ3NjQiLCJleHAiOjE1MzE5MjY4NjMsIm5iZiI6MCwiaWF0
            Key: access_token
        Member Key: expires_in
            Number value: 300
            Key: expires_in
        Member Key: refresh_expires_in
            Number value: 1800
            Key: refresh_expires_in
        Member Key: refresh_token
            String value [truncated]: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjd2g4bGx3N1hLMmdES29YOGpKc3laVnpuUWdEM09SV1VYZmwtS3VxazA4In0.eyJqdGkiOiIwZDgzZGIyNi05ZmEzLTQ3NDQtYWI3YS1jNjYwYTMwZWZiMmEiLCJleHAiOjE1MzE5MjgzNjMsIm5iZiI6MCwiaWF0
            Key: refresh_token
        Member Key: token_type
            String value: bearer
            Key: token_type
        Member Key: id_token
            String value [truncated]: eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjd2g4bGx3N1hLMmdES29YOGpKc3laVnpuUWdEM09SV1VYZmwtS3VxazA4In0.eyJqdGkiOiJlZGE5MzEwYS1mNDQ0LTQzYzktOTE5OC0wZDZmZGM0OTgyODgiLCJleHAiOjE1MzE5MjY4NjMsIm5iZiI6MCwiaWF0
            Key: id_token
        Member Key: not-before-policy
            Number value: 0
            Key: not-before-policy
        Member Key: session_state
            String value: 2d1a7320-706a-4d7e-b460-f0babe6f109d
            Key: session_state
        Member Key: scope
            String value: openid profile email
            Key: scope

And I eventually traced a very silent error in Tuleap back to this library:

Exception during token request: [InoOicClient\Oic\Token\Exception\InvalidResponseException] Invalid response: [InoOicClient\Entity\Exception\InvalidMethodException] Invalid method InoOicClient\Oic\Token\Response::setNot-before-policy()

So your library is complaining about that concrete claim Keycloak sent. I know it's not very standard, but should not cause this level of disruption in the working flow. Other OIDC implementations coped very well with this, I suppose by ignoring the error.

What can be done to mitigate this?

Thank you for your time.

Darkeye9 avatar Jul 18 '18 16:07 Darkeye9

This package is minimally maintained but I'll entertain a PR.

bradjones1 avatar Jul 18 '18 16:07 bradjones1