beta oidc extension

Jim Fox fox at washington.edu
Fri Nov 16 14:43:25 EST 2018 

This is a first look at the beta oidc extension.

The instructions were easy to follow.

One thing regarding the issuer setting in idp-oidc.properties:  Instructions say it has to be https scheme, host, .. 
However, my dev idp has an entity id of "urn:mace:incommon:washington.edu:dev".  This seemd to work ok.

Using an apache client with mod_auth_openidc, when I asked for an "id_token" response everything went OK.  However, when I asked for "code" the userinfo request caused an Exception:  "Storage object was not present in session"


ERROR [net.shibboleth.idp.session.impl.StorageBackedSessionManager:809] - Exception while querying for session ID 08c2ad259333354bf747f82d0598a901017af9363375a2f574d8e8ade8ab14b8
java.io.IOException: net.shibboleth.utilities.java.support.logic.ConstraintViolationException: Storage object was not present in session
         at org.opensaml.storage.AbstractMapBackedStorageService.readImpl(AbstractMapBackedStorageService.java:307)
         at org.opensaml.storage.AbstractMapBackedStorageService.read(AbstractMapBackedStorageService.java:113)
         at net.shibboleth.idp.session.impl.StorageBackedSessionManager.lookupBySessionId(StorageBackedSessionManager.java:801)
         at net.shibboleth.idp.session.impl.StorageBackedSessionManager.resolve(StorageBackedSessionManager.java:592)
         at net.shibboleth.idp.session.impl.StorageBackedSessionManager.resolveSingle(StorageBackedSessionManager.java:617)
         at net.shibboleth.idp.session.impl.StorageBackedSessionManager.resolveSingle(StorageBackedSessionManager.java:110)
         at org.geant.idpextension.oidc.profile.impl.ValidateUserPresence.doExecute(ValidateUserPresence.java:101)
         at org.opensaml.profile.action.AbstractProfileAction.execute(AbstractProfileAction.java:117)
         ...


lines immediately above that in the log show:

DEBUG [org.geant.idpextension.oidc.profile.impl.ValidateAccessToken:103] - Profile Action ValidateAccessToken: access token unwrapped {"sub":"fox","cnsntd_claims":["email","givenName","subject","surname"],"cnsntbl_claims":["email","givenName","subject","surname"],"iss":"urn:mace:incommon:washington.edu:dev","clid":"urizen","prncpl":"fox","type":"at","nonce":"menUSMG3Kymnywq77dWAy0a7nfwnZMc_8b5212w26zY","sid":"08c2ad259333354bf747f82d0598a901017af9363375a2f574d8e8ade8ab14b8","auth_time":1542388994,"scope":"openid profile email eduperson_scoped_affiliation edumember_is_member_of","redirect_uri":"https:\/\/urizen.s.uw.edu\/oidctest\/redirect_uri","exp":1542396460,"iat":1542395860,"jti":"_aba0de8366481951d4e2d06fff728605"}
DEBUG [org.geant.idpextension.oidc.profile.impl.ValidateAccessToken:120] - Profile Action ValidateAccessToken: access token _aba0de8366481951d4e2d06fff728605 validated

Lines previous to that (for the initial login) also indicated that same session ID.

I didn't do any storage configuration as part of the oidc installation.  And I don't see this error with any other shib (SAML) operations.

Jim

More information about the users mailing list