Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

extra_scopes are always of type list #457

Open
marcvs opened this issue Mar 11, 2024 · 2 comments
Open

extra_scopes are always of type list #457

marcvs opened this issue Mar 11, 2024 · 2 comments

Comments

@marcvs
Copy link

marcvs commented Mar 11, 2024

Expected Behavior

extra_scopes MUST be definable to be of ANY type!

I am checking the attributes sent from various OIDC-OPs, and all of the satosa instances (eduTeams, didmos) show this problem. Most pressing is the fact that "string" type attributes are sent as a "list of strings", which is against the spec, of e.g. org_domain, or schac_home_organization. Clients my break.

I theroy, bool type extra_scopes are possible, also "emptye list" too.

Steps to Reproduce

See here: https://cvs.data.kit.edu/~naco/

@ar-filho
Copy link

I'm using https://github.com/UniversitaDellaCalabria/SATOSA-oidcop, and I opened an Issue there. However, it was recommended that this modification occurs in SATOSA and not in the plugin.

For now we are doing this in the plugin:
UniversitaDellaCalabria/SATOSA-oidcop#50

I was analyzing how to suggest this update to SATOSA, and I think it could be an alternative to put an identifier in internal_attributes.yaml informing that that attribute is unique. This way, I believe it would resolve it.
Thinking about OIDC, some attributes such as address will still be sent as lists.

@c00kiemon5ter
Copy link
Member

You are right that this is happening atm. I agree with @ar-filho that this should be part of the information in the internal attributes, to specify rules for the multiplicity, the type, and even comparison options for the attributes.

Doing this with a separate structure can work. Otherwise we need to extend the existing structure, but it breaks existing configurations. I think however, that we can allow to parse both the old and new format and push everyone to use the new format.

The benefit of extending the existing structure is that we can ensure that the rules are in place for all attributes. With separate structure we need to find the corresponding entries or fallback to defaults. Inversely, the new structures can have more elements that the ones in the existing struct; what would that mean? It could be that we are introducing confusion and making the config more error prone by separating the structs.

I am thinking about it. Any thoughts are welcome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants