OIDC extension - "Unable to produce a viable 'sub' claim" error

Ing. Jiří Špaček jiri.spacek at fit.cvut.cz
Tue Feb 11 07:12:03 EST 2020 

Hi,

I'm trying to get OIDC extension working (2.0.0-beta1) in IDP 4.0 and
I've got some problems with regards to "sub" claim resolution.

I'm using pretty much default configuration that is included in
java-idp-oidc with and installation instructions from GitHub [1].

After logging-in (authorization code flow) and confirming the consent
grant dialog (which lists email, email_verified and subject claims) the
IDP redirects me to OIDC client's redirect_uri with following
"invalid_request" error response

2020-02-11 12:36:32,858 - 0:0:0:0:0:0:0:1 - INFO
[Shibboleth-Consent-Audit.OIDCSSO:282] -
2020-02-11T11:36:32.858518Z|demo_rp|AttributeReleaseConsent|spaceji3|email,subject,email_verified||true
2020-02-11 12:36:32,894 - 0:0:0:0:0:0:0:1 - DEBUG
[org.geant.idpextension.oidc.profile.logic.AttributeResolutionSubjectLookupFunction:137]
- Searching for 'sub' claim among encodeable attributes
2020-02-11 12:36:32,895 - 0:0:0:0:0:0:0:1 - WARN
[org.geant.idpextension.oidc.profile.logic.AttributeResolutionSubjectLookupFunction:179]
- Unable to produce a viable 'sub' claim
2020-02-11 12:36:32,895 - 0:0:0:0:0:0:0:1 - ERROR
[org.geant.idpextension.oidc.profile.impl.SetSubjectToResponseContext:85]
- Profile Action SetSubjectToResponseContext: Subject may not be null
2020-02-11 12:36:32,913 - 0:0:0:0:0:0:0:1 - DEBUG
[org.geant.idpextension.oidc.profile.impl.AbstractBuildErrorResponseFromEvent:157]
- Profile Action BuildAuthenticationErrorResponseFromEvent: No mapped
event found for InvalidProfileContext, creating general invalid_request
2020-02-11 12:36:32,915 - 0:0:0:0:0:0:0:1 - DEBUG
[org.geant.idpextension.oidc.profile.impl.AbstractBuildErrorResponseFromEvent:164]
- Profile Action BuildAuthenticationErrorResponseFromEvent:
ErrorResponse successfully set as the outbound message
2020-02-11 12:36:32,924 - 0:0:0:0:0:0:0:1 - DEBUG
[org.geant.idpextension.oidc.encoding.impl.NimbusResponseEncoder:146] -
Outbound response
Headers:
       
Location:http://localhost:8080?error_description=InvalidProfileContext&error=invalid_request

I've succesfuly tried the same setupn on IDP 3.4.6 with 1.1.0 version of
OIDC extension.
It seems that implementation of AttributeResolutionSubjectLookupFunction
has changed significantly in 2.0.0 and
now utilizes the new Attribute Registry API but provided configuration
(in idp-oidc-extension-distribution/) does not reflect those changes.

I was able to get it to work after I:
1. in attribute-resolver-oidc.xml renamed AttributeDefinition "subject"
to "sub"
2. in attribute-filter-oidc.xml renamed changed attributeID accordingly
<AttributeRule attributeID="subject"> -> <AttributeRule
attributeID="sub">
3. in ./attributes/default-rules.xml added rule like this:

        <bean parent="shibboleth.TranscodingProperties">
            <property name="properties">
                <props merge="true">
                    <prop key="id">sub</prop>
                    <prop key="transcoder">OIDCStringTranscoder</prop>
              ....
        </bean>

Could I be missing something or could this be a bug?

Also, what is the right way to contribute now that development switched
to Shibboleth project?
I was unable to find any guide on how to contribute except Contribution
Policy [2] but that does not say where to send patches.

Thanks in advance,
  Jiri

[1]
https://github.com/CSCfi/shibboleth-idp-oidc-extension/wiki/Installing-from-archive
[2]
https://wiki.shibboleth.net/confluence/display/DEV/Contribution+Policy

More information about the users mailing list