logto icon indicating copy to clipboard operation
logto copied to clipboard
verified publisher icon logto-io

bug: unable to call the user info endpoint when integrating Logto Cloud with rust openidconnect.

Open AH-dark opened this issue 1 year ago β€’ 5 comments

Describe the bug

Based on the response in this GitHub issue, I suspect that the OIDC content provided by Logto may not fully comply with the standard.

When calling the userinfo endpoint with the openidconnect library, a parsing error occurred. This might suggest an issue with how the user information is being returned or formatted, potentially due to a deviation from the expected OpenID Connect standard in the response from Logto.

Expected behavior

This API should return a 200 status code along with JSON content compliant with the OIDC standard.

How to reproduce?

Retrieve user info using Rust’s openidconnect 3.5.0 and Logto Cloud.

Context

  • [x] Logto Cloud
  • [ ] Self-hosted, Logto version =
    • [ ] Container (Docker image)
    • [ ] Raw Node.js

AH-dark avatar Sep 17 '24 09:09 AH-dark

Coud you please provider a sample project to reproduce this issue? Or full error messages of the response, and your OIDC configurations.

wangsijie avatar Sep 18 '24 01:09 wangsijie

Coud you please provider a sample project to reproduce this issue? Or full error messages of the response, and your OIDC configurations.

pub async fn get_user_by_token(&self, token: String) -> Result<(user::Model, CoreUserInfoClaims), Error> {
    let access_token = AccessToken::new(token);
    let user_info_claims: CoreUserInfoClaims = self.client.user_info(access_token, None)?
        .request_async(async_http_client)
        .await?;

    let sub = user_info_claims.subject().as_str();
    let user = self.get_or_create_user(sub).await?;

    Ok((user, user_info_claims))
}

Here is a simple code snippet that demonstrates a straightforward method using the standard CoreClient and CoreUserInfoClaims provided by openidconnect.

My application is quite large, so it’s difficult for me to extract a complete application. You can use any SPA application (I am using React and @logto/react) to log in via the OIDC service provided by Logto Cloud, obtain the Access Token, and pass it to the Rust backend. Then use this Access Token, request the /oidc/me endpoint and returns an erroneous response.

AH-dark avatar Sep 20 '24 19:09 AH-dark

I'll take a look soon.

wangsijie avatar Sep 23 '24 00:09 wangsijie

It seems that Logto does not omit null values, and the returned updated_at and created_at are unix timestamp milliseconds not seconds, which is not in compliance with the standard.

AH-dark avatar Sep 24 '24 16:09 AH-dark

hi @AH-dark, thanks for your detailed information, there are two things to do:

  1. Omit fileds with null value
  2. Change the updated_at unit to seconds.

However, this will cause a breaking change, so let's hold for now, need to discuss with the team.

wangsijie avatar Oct 10 '24 01:10 wangsijie