nextcloud-oidc-login icon indicating copy to clipboard operation
nextcloud-oidc-login copied to clipboard
verified publisher icon pulsejet

Bug in at_hash verification in OpenID-Connect-PHP 3rd party library

Open coudot opened this issue 5 years ago • 4 comments

Hello,

I found a little bug by using this plugin, the bug comes from OpenID-Connect-PHP 3rd party library. The verification of at_hash is not conform to OpenID Connect specification.

There is a pull request here for people facing the same issue: https://github.com/jumbojett/OpenID-Connect-PHP/pull/222

coudot avatar Jun 19 '20 17:06 coudot

Are there visible consequences of this bug in nextcloud-oidc-login?

azmeuk avatar Oct 19 '22 07:10 azmeuk

Yes of course, it fails with an OpenID Connect provider which respect the standard.

But it seems the bug was already fixed in https://github.com/jumbojett/OpenID-Connect-PHP/pull/200

So you just need to use a recent version of the lib.

coudot avatar Oct 19 '22 07:10 coudot

The lib has been updated since the bug was fixed. Can you confirm this is fixed on the nextcloud-oidc-login side?

azmeuk avatar Oct 19 '22 07:10 azmeuk

I don't have access to the server for now, I'll see if I can find time to do a new installation.

coudot avatar Oct 19 '22 12:10 coudot