Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: broken JSON round-tripping for custom claims #3819

Merged
merged 2 commits into from
Aug 14, 2024
Merged

fix: broken JSON round-tripping for custom claims #3819

merged 2 commits into from
Aug 14, 2024

Conversation

alnr
Copy link
Contributor

@alnr alnr commented Aug 13, 2024

Adding custom claims with numerical types (think JavaScript Number) previously did not
round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims
would end up as floating points in exponential notation in the final token. That, in turn,
confused or broke downstream consumers of the token, including Kratos.

Ref go-jose/go-jose#144

@alnr
fix: incorrect context passthru
23c7464
@alnr
fix: broken JSON round-tripping for custom claims
a28aed9 
Adding custom claims with numerical types (think JavaScript Number) previously did not
round-trip through Hydra correctly. For example, passing UNIX timestamps in custom claims
would end up as floating points in exponential notation in the final token. That, in turn,
confused or broke downstream consumers of the token, including Kratos.

Ref go-jose/go-jose#144
@alnr alnr self-assigned this Aug 13, 2024
@aeneasr
Copy link
Member

aeneasr commented Aug 14, 2024

There was this PR: #3722

Is that the same issue, and if yes, #3722 seems to use the number decoding in more places.

@aeneasr
Copy link
Member

aeneasr commented Aug 14, 2024

Also, are there any implications for backwards compatibility with prior consent sessions?

@alnr
Copy link
Contributor Author

alnr commented Aug 14, 2024

Yes I did see #3722. As the author discovered, using json.Number does not fix this issue. The underlying problem is described here: go-jose/go-jose#144

I don't think this will cause any regressions. This change mostly or exclusively impacts how numbers are serialized into the final token, it doesn't really change any underlying data. While we're handling the custom claims in hydra, we serialize+deserialize them to/from JSON a couple of times. Each time, any "type" information about whether the number is a float or integer is lost since this distinction doesn't exist in JSON.

@alnr alnr merged commit b36b701 into master Aug 14, 2024
30 checks passed
@alnr alnr deleted the alnr/fix-session-data branch August 14, 2024 09:20
@alnr alnr mentioned this pull request Aug 14, 2024
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aeneasr aeneasr aeneasr approved these changes

@hperl hperl Awaiting requested review from hperl hperl is a code owner

Assignees

@alnr alnr

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alnr @aeneasr