Hi,
I wonder if this is a real bug or just a cosmetic issue in GeoServers (2.28.1, built from source) OIDC:
-
Authentication works, but an error is logged: 28 019 13:19:50 WARN [oauth2.spring] - OIDC token validation failed with 1 errors. [invalid_id_token] The ID Token contains invalid claims: {aud=[urn:microsoft:userinfo]}
-
The logged ID token does not contain this claim, but the Access token does. As far as I can tell, this is the way it should be.
-
The ADFS admin says there should be a “roles” claim in the Access token, but there isn’t, so I can’t get authorization working.
Is GeoServer validating the wrong token?
Is this failing validation resulting in some claims being scrubbed from the token? I noticed that the log contains the token headers separately, in what I assume to be a half decoded state, does that mean GeoServer processes the contents somehow before use?
(I’ve seen tokens encoding both the headers and the body elsewhere)
Did you try to select Access Token from the roles resolver?
By the way, which version of the OIDC plugin are you using?
I have tried both ID and Access tokens, and as far as the contents of the tokens go, I’m leaning towards a misunderstanding on the part of the ADFS admin. I tried a Keycloak setup and it worked, roles came through fine.
But the logging seems a bit off.
I have “GeoServer Security OpenID Connect”, gs-sec-oidc-core, 2.28.1, and “GeoServer Web UI Security OpenID Connect”, gs-sec-oidc-web, 2.28.1
GeoServer is installed from the 2.28.1 zip file, plugins compiled like this:
git clone ``https://github.com/geoserver/geoserver.git`` geoserver
cd geoserver
git checkout 2.28.1
cd geoserver/src/community
mvn clean install -P jwt-headers,oidc -DskipTests -T 2C
cd ../..
mvn -f src/community/pom.xml clean install -B -DskipTests -PcommunityRelease,assembly -T 2C -fae
…and in the end the jars found in the tree are copied into the WEB-INF/lib directory of GeoServer.