Content
View differences
Updated by Jan Sandbrink 10 months ago
### Steps to reproduce
1. Configure an OpenID Connect provider with claims using the [example from our docs](https://www.openproject-edge.com/docs/system-admin-guide/authentication/openid-providers/#step-8-claims) (see below)
2. Make sure that the OpenID Connect provider does not fulfill the claim
3. Try to login
Docs example: Unknown
```json
{
"id_token": {
"acr": {
"essential": true,
"values": ["phr", "phrh", "Multi_Factor"]
}
}
}
```
### What is the buggy behavior?
An internal server error (unhandled exception) occurs. Unkown
### What is the expected behavior?
The user should see a proper error message (probably hinting at "ask your admin" and "essential claim is missing") and login should be prevented.
This is an expectable error case that could happen due to any kind of (mis)configuration by an administrator. Unkown
### **Logs**
<br>
```text
Expected one of ACR values ['phr', 'phrh', 'Multi_Factor'] in ['1']
lib/omniauth/strategies/openid_connect/claims.rb:95 OmniAuth::Strategies::OpenIDConnect::Claims#require_essential_claim!
lib/omniauth/strategies/openid_connect/claims.rb:79 block in OmniAuth::Strategies::OpenIDConnect::Claims#verify_id_token_claims!
lib/omniauth/strategies/openid_connect/claims.rb:78 Hash#each
lib/omniauth/strategies/openid_connect/claims.rb:78 OmniAuth::Strategies::OpenIDConnect::Claims#verify_id_token_claims!
lib/omniauth/strategies/openid_connect/claims.rb:31 OmniAuth::Strategies::OpenIDConnect::Claims#validate_access_token!
lib/omniauth/strategies/openid_connect.rb:98 OmniAuth::Strategies::OpenIDConnect#callback_phase
lib/omniauth/strategy.rb:238 OmniAuth::Strategy#callback_call
lib/omniauth/strategy.rb:189 OmniAuth::Strategy#call!
lib/omniauth/strategy.rb:169 OmniAuth::Strategy#call
lib/omniauth/builder.rb:45 OmniAuth::Builder#call
```
https://appsignal.com/openproject-gmbh/sites/673afebf83eb6776b27e7735/exceptions/incidents/705
1. Configure an OpenID Connect provider with claims using the [example from our docs](https://www.openproject-edge.com/docs/system-admin-guide/authentication/openid-providers/#step-8-claims) (see below)
2. Make sure that the OpenID Connect provider does not fulfill the claim
3. Try to login
Docs example:
```json
{
"id_token": {
"acr": {
"essential": true,
"values": ["phr", "phrh", "Multi_Factor"]
}
}
}
```
### What is the buggy behavior?
An internal server error (unhandled exception) occurs.
### What is the expected behavior?
The user should see a proper error message (probably hinting at "ask your admin" and "essential claim is missing") and login should be prevented.
This is an expectable error case that could happen due to any kind of (mis)configuration by an administrator.
### **Logs**
<br>
```text
Expected one of ACR values ['phr', 'phrh', 'Multi_Factor'] in ['1']
lib/omniauth/strategies/openid_connect/claims.rb:95 OmniAuth::Strategies::OpenIDConnect::Claims#require_essential_claim!
lib/omniauth/strategies/openid_connect/claims.rb:79 block in OmniAuth::Strategies::OpenIDConnect::Claims#verify_id_token_claims!
lib/omniauth/strategies/openid_connect/claims.rb:78 Hash#each
lib/omniauth/strategies/openid_connect/claims.rb:78 OmniAuth::Strategies::OpenIDConnect::Claims#verify_id_token_claims!
lib/omniauth/strategies/openid_connect/claims.rb:31 OmniAuth::Strategies::OpenIDConnect::Claims#validate_access_token!
lib/omniauth/strategies/openid_connect.rb:98 OmniAuth::Strategies::OpenIDConnect#callback_phase
lib/omniauth/strategy.rb:238 OmniAuth::Strategy#callback_call
lib/omniauth/strategy.rb:189 OmniAuth::Strategy#call!
lib/omniauth/strategy.rb:169 OmniAuth::Strategy#call
lib/omniauth/builder.rb:45 OmniAuth::Builder#call
```
https://appsignal.com/openproject-gmbh/sites/673afebf83eb6776b27e7735/exceptions/incidents/705