All work
- Transcoding of object type of claim failsJCOMOIDC-127Philip Smart
- Release 3.2.0JCOMOIDC-125Resolved issue: JCOMOIDC-125Philip Smart
- Profile configuration setting for limiting initial access token to selfJCOMOIDC-124Resolved issue: JCOMOIDC-124Henri Mikkonen
- Profile configuration setting for strict scope validationJCOMOIDC-123Resolved issue: JCOMOIDC-123Henri Mikkonen
- Maximum lifetime for jti-claim validator's replay cache recordsJCOMOIDC-121Resolved issue: JCOMOIDC-121Henri Mikkonen
- Improve jti-claim validator's handling of overly long valuesJCOMOIDC-120Resolved issue: JCOMOIDC-120Henri Mikkonen
- Release 3.1.1JCOMOIDC-119Resolved issue: JCOMOIDC-119Philip Smart
- As an OIDC RP, loginHintLookupStrategy seems to be ignoredJCOMOIDC-118Resolved issue: JCOMOIDC-118Philip Smart
- Profile configuration setting for custom redirect URI validationJCOMOIDC-117Resolved issue: JCOMOIDC-117Henri Mikkonen
- Profile configuration setting for message handlerJCOMOIDC-116Resolved issue: JCOMOIDC-116Henri Mikkonen
- Update Nimbus oauth2-oidc-sdk into 10.15JCOMOIDC-115Resolved issue: JCOMOIDC-115Henri Mikkonen
- BaseJWTSignatureSecurityHandler cannot resolve trust engine via custom context locationJCOMOIDC-114Resolved issue: JCOMOIDC-114Henri Mikkonen
- TrustEngine implementation for token derived credentialsJCOMOIDC-113Resolved issue: JCOMOIDC-113Henri Mikkonen
- Profile configuration settings for OAuth2 DPoPJCOMOIDC-112Resolved issue: JCOMOIDC-112Henri Mikkonen
- Remove exp-claim requirement for JWTIdentifierClaimsValidatorJCOMOIDC-111Resolved issue: JCOMOIDC-111Henri Mikkonen
- Add link back to Nimbus and JOSE javadocsJCOMOIDC-109Resolved issue: JCOMOIDC-109Henri Mikkonen
- Profile Configuration for OAuth2 PARJCOMOIDC-108Resolved issue: JCOMOIDC-108Henri Mikkonen
- Release 3.1.0JCOMOIDC-107Resolved issue: JCOMOIDC-107Henri Mikkonen
- Fix incorrect NonNull annotations in APIJCOMOIDC-106Resolved issue: JCOMOIDC-106Henri Mikkonen
- Profile configuration setting to require OIDC authentication requestJCOMOIDC-105Resolved issue: JCOMOIDC-105Henri Mikkonen
- Enable dynamic type header naming when signing tokensJCOMOIDC-104Resolved issue: JCOMOIDC-104Henri Mikkonen
- Add metadata-driven naming to attribute transcodersJCOMOIDC-103Resolved issue: JCOMOIDC-103Henri Mikkonen
- Implement metadata cache loading strategy for generic resourcesJCOMOIDC-102Resolved issue: JCOMOIDC-102Henri Mikkonen
- Fix Principal typing issue in profile config default implementationJCOMOIDC-101Resolved issue: JCOMOIDC-101Philip Smart
- Allowed ResponseModes should be configurableJCOMOIDC-100Resolved issue: JCOMOIDC-100Henri Mikkonen
- Metadata policy merging misses subordinate values with some operatorsJCOMOIDC-99Resolved issue: JCOMOIDC-99Henri Mikkonen
- Suggest changing the support level for Versions 1.0.0 through 3.0.0JCOMOIDC-98Henri Mikkonen
- Release 3.0.1JCOMOIDC-97Philip Smart
- Support custom/additional metadata policy operatorsJCOMOIDC-96Resolved issue: JCOMOIDC-96Henri Mikkonen
- Add clockSkew and idGenerator configuration hooks to JSONSecurityConfigurationJCOMOIDC-95Resolved issue: JCOMOIDC-95Henri Mikkonen
- Profile configuration option for refresh token typeJCOMOIDC-94Resolved issue: JCOMOIDC-94Henri Mikkonen
- com.nimbusds.oauth2.sdk subject_types_supported out of specJCOMOIDC-92Resolved issue: JCOMOIDC-92Henri Mikkonen
- Refactor profile configuration options on major version changeJCOMOIDC-91Henri Mikkonen
- Add CSP protection to viewsJCOMOIDC-90Resolved issue: JCOMOIDC-90Philip Smart
- Add a new CredentialFactoryBean type which allows null objects from createInstanceJCOMOIDC-89Philip Smart
- Credential factory beans are returning null from doCreateInstanceJCOMOIDC-88Philip Smart
- Profile configuration for OIDC logoutJCOMOIDC-87Resolved issue: JCOMOIDC-87Henri Mikkonen
- Add PKCE support to the OIDC message encodersJCOMOIDC-86Resolved issue: JCOMOIDC-86Philip Smart
- Add PKCE support to authorization request objectJCOMOIDC-85Resolved issue: JCOMOIDC-85Philip Smart
- Test-jar dependency is needed for generic testing utility classesJCOMOIDC-84Henri Mikkonen
- Release commons 3.0.0 and config 2.0.0JCOMOIDC-83Resolved issue: JCOMOIDC-83Philip Smart
- Update into the IdP V5 codebaseJCOMOIDC-82Resolved issue: JCOMOIDC-82Henri Mikkonen
- Support policies for unregistered clientsJCOMOIDC-81Resolved issue: JCOMOIDC-81Henri Mikkonen
- RemoteJwkUtils HTTP resource leakJCOMOIDC-80Resolved issue: JCOMOIDC-80Henri Mikkonen
- Add protocol message logging support to the AbstractOIDCMessageEncoderJCOMOIDC-79Resolved issue: JCOMOIDC-79Philip Smart
- Fix possible NPE in JWETokenDecrypter when jcaKeyAlg is not supported by the registryJCOMOIDC-78Resolved issue: JCOMOIDC-78Philip Smart
- Use security params lookup strategy in base signature security handlerJCOMOIDC-77Philip Smart
- Decouple signature signing logic from SignJWTHandlerJCOMOIDC-76Resolved issue: JCOMOIDC-76Philip Smart
- Release 2.2.1JCOMOIDC-75Resolved issue: JCOMOIDC-75Philip Smart
- Add annotations to profile configuration settings for diagnosticsJCOMOIDC-74Resolved issue: JCOMOIDC-74Henri Mikkonen
Transcoding of object type of claim fails
Description
Environment
Details
Details
Details
Activity
Philip SmartApril 4, 2025 at 4:22 PM
Technically, this could be solved in the RP for now, as that controls the claim going into the Transcoder.
Philip SmartApril 4, 2025 at 4:06 PMEdited
Speaking to Scott, it might be OK for a patch to convert the LinkedTreeMapinto the expected JSONObject before it hits the transcoder.
Also, I’ll speak to @Henri about testing this from his real OP instance.
Scott CantorMarch 31, 2025 at 12:27 PM
Certainly in the bigger picture, having a dedicated API to wrap and expose JSON messages is the closest analog to what was done for SAML, and the Transcoding layer was definitely designed around that idea.
One way around it might be to instantuate a delegating object implementing a dedicated marker interface and be able to get at the different representations we have to accomodate in the different cases, so the Transcoders would operate on that marler type but get at the guts via a separate method internally.
Then the transcoders would know for certain they were given an object intentionally to process.
Philip SmartMarch 28, 2025 at 4:37 PM
This was not easy to test because the the OIDCStringAttributeTranscoderencodedType is a JSONObject. So, I did not go through the usual TranscoderRegistry and instead called the decodeValues method of the OIDCStringAttributeTranscoder directly with the LinkedTreeMap.
I think the best option here with the least change would be to add an if clause that tests for a Map and serialises that Map to a JSON string value (just as it does for a JSON Object).
Philip SmartMarch 28, 2025 at 11:54 AM
Yes, the decode method does not understand that type, as you say. Both are java.util.Maps. I’ll take a look.
jlauros@csc.fiMarch 28, 2025 at 12:31 PM
Map makes sense. Maybe that is the answer for it then.
OIDC RP uses transcoder to decode received claims before storing them to subject. This fails if the incoming claims is of type Object. OIDCStringAttributeTranscoder class expects such claims to be of type ‘
net.minidev.json.JSONObject’ but they actually are of type 'com.nimbusds.jose.shaded.gson.internal.LinkedTreeMap'. As a result claim is silently lost in transcoding process and never stored to Subject even if having a transcoder of presumably correct type.