Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSS needs a slash to oidcIssuer. NSS has no slash #28

Open
bourgeoa opened this issue Nov 20, 2024 · 5 comments
Open

CSS needs a slash to oidcIssuer. NSS has no slash #28

bourgeoa opened this issue Nov 20, 2024 · 5 comments

Comments

@bourgeoa
Copy link
Member

bourgeoa commented Nov 20, 2024
edited
Loading

no authentication after migration

2024-11-20T18:13:55.254Z [DPoPWebIdExtractor] {Primary} warn: Error verifying WebID via DPoP-bound access token: The access token issuer doesn't match its associated WebID's trusted OIDC issuers.
18|pivot  | Actual: https://solidcommunity.net:8443
18|pivot  | Expected: https://solidcommunity.net:8443/
@bourgeoa
Copy link
Member Author

bourgeoa commented Nov 20, 2024
edited
Loading

Not related with mashlib 1.10.0

The issue is that /profile/card oidc issuer does not end with slash in NSS
The slash is needed in CSS.

@bourgeoa bourgeoa changed the title no uathencication after migration and [email protected] no authencication after migration and [email protected] Nov 20, 2024
@bourgeoa bourgeoa changed the title no authencication after migration and [email protected] no authencication after migration Nov 20, 2024
@bourgeoa bourgeoa changed the title no authencication after migration no authencation after migration Nov 20, 2024
@bourgeoa bourgeoa changed the title no authencation after migration no authentication after migration Nov 20, 2024
@bourgeoa
Copy link
Member Author

This is what I found
The solid:oidcIssuer field in WebIDs is now mandatory per https://solid.github.io/solid-oidc/#webid-profile (related to nodeSolidServer/node-solid-server#1639 )

The slash is not in the spec

@bourgeoa bourgeoa mentioned this issue Nov 20, 2024
Open
@bourgeoa bourgeoa changed the title no authentication after migration Wrongly CSS needs a slash to oidcIssuer Nov 21, 2024
@csarven
Copy link

csarven commented Nov 21, 2024

I'm not an expert on this matter, nor do I have a strong opinion either way, but as far as I can tell from:

https://openid.net/specs/openid-connect-core-1_0.html

Issuer Identifier
Verifiable Identifier for an Issuer. An Issuer Identifier is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

iss
REQUIRED. Issuer Identifier for the Issuer of the response. The iss value is a case-sensitive URL using the https scheme that contains scheme, host, and optionally, port number and path components and no query or fragment components.

the slash for the path is not required when there is no segment value.
That's path-abempty in https://www.rfc-editor.org/rfc/rfc3986#section-3.3

So, both https://example.org and https://example.org/ would be valid (as long as the issuer URL and iss value matches.)

@bourgeoa bourgeoa changed the title Wrongly CSS needs a slash to oidcIssuer CSS needs a slash to oidcIssuer. NSS has no slash Nov 24, 2024
@michielbdejong michielbdejong mentioned this issue Nov 25, 2024
Closed
@michielbdejong
Copy link
Collaborator

I think fixing this at the Pivot level would be quite complex. Let's work report it to the CSS team as a bug (maybe this already happened even), and in the meantime work around it by making all our profiles CSS-compatible. Should be quite a simple script to run as part of the migration (I created an issue for that just now, #32).

On a side note, I was surprised to see CSS Webhooks actually seem to trim the trailing slash, not sure how that works.

But if adding a slash fixes it, then let's add a slash. :)

@bourgeoa
Copy link
Member Author

Let's work report it to the CSS team

There is a discussion in matrix

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@michielbdejong @csarven @bourgeoa