Skip to content

[Bug] Crash parsing Open ID Configuration #2772

New issue
New issue
Closed
#2776
Closed
[Bug] Crash parsing Open ID Configuration#2772
#2776
Assignees
keegan-caruso
Labels
BugProduct is not functioning as expectedCustomer reportedIndicates issue was opened by customerRegressionRegression:7xto8x
@a-jackson

Description

@a-jackson
a-jackson
opened on Aug 8, 2024

Which version of Microsoft.IdentityModel are you using?
Note that to get help, you need to run the latest version.

v8.0.1. Issue exists in 8.0.0 as well.

Where is the issue?

  • M.IM.JsonWebTokens
  • M.IM.KeyVaultExtensions
  • M.IM.Logging
  • M.IM.ManagedKeyVaultSecurityKey
  • M.IM.Protocols
  • M.IM.Protocols.OpenIdConnect
  • M.IM.Protocols.SignedHttpRequest
  • M.IM.Protocols.WsFederation
  • M.IM.TestExtensions
  • M.IM.Tokens
  • M.IM.Tokens.Saml
  • M.IM.Validators
  • M.IM.Xml
  • S.IM.Tokens.Jwt
  • Other (please describe)

Is this a new or an existing app?

a. The app is in production and I have upgraded to a new version of Microsoft.IdentityModel.*

Repro

I don't have a minimal reproduction. The bug is in parsing the /.well-known/openid-configuration and fails at operation that requires it since updating to v8.0.0

Expected behavior
Should be able to login/logout etc.

Actual behavior
InvalidOperationException: Cannot compare the value of a token type 'EndObject' to text.

InvalidOperationException: IDX20803: Unable to obtain configuration from: 'https://<redacted>/.well-known/openid-configuration'. Will retry at '08/08/2024 07:48:16 +00:00'. Exception: 'System.InvalidOperationException: Cannot compare the value of a token type 'EndObject' to text.
at System.Text.Json.ThrowHelper.ThrowInvalidOperationException_ExpectedStringComparison(JsonTokenType tokenType)
at System.Text.Json.Utf8JsonReader.ValueTextEquals(ReadOnlySpan`1 utf8Text)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(Utf8JsonReader& reader, OpenIdConnectConfiguration config)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json, OpenIdConnectConfiguration config)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationSerializer.Read(String json)
at Microsoft.IdentityModel.Protocols.OpenIdConnect.OpenIdConnectConfigurationRetriever.GetAsync(String address, IDocumentRetriever retriever, CancellationToken cancel)
at Microsoft.IdentityModel.Protocols.ConfigurationManager`1.GetConfigurationAsync(CancellationToken cancel)'.

Possible solution

I believe it is the change added in commit 077b975f027205a53e4d458bf456e4050e947952. Here and here.

The new if statements are missing an else. In our openid-configuration the acr_values_supported are the last property.

image

Therefore the previous if statement reads those values and advances the reader to the EndObject token, then this if statement expects it to be a property name and the exception is thrown. Adding the else would prevent the evaluation.

Additional context / logs / screenshots / links to code

Add any other context about the problem here, such as logs and screenshots or links to code.

Metadata

Metadata

Assignees

Labels

BugProduct is not functioning as expectedCustomer reportedIndicates issue was opened by customerRegressionRegression:7xto8x

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions