Invalid ID token field (instead embedded into access token) #491
Description
I'm not too familiar with the OpenID connect standard, but I realized there a differences in how different providers return the id_token in a token response. A few examples (all sensitive, non-public information was removed or redacted):
Codeberg
Codeberg's access_tokens contain only metadata, while the id_token is returned in a separate field.
Access token (access_token)
{
"header": {
"alg": "RS256",
"kid": "kkCIyYrEzJpuahDA1kmtSZoJvPMY4tYM1ZcWmCviVGc",
"typ": "JWT"
},
"payload": {
"gnt": 31255,
"tt": 0,
"exp": 1760083647,
"iat": 1760080047
},
"signature": "redacted"
}ID Token (id_token)
{
"header" : {
"alg" : "RS256",
"kid" : "kkCIyYrEzJpuahDA1kmtSZoJvPMY4tYM1ZcWmCviVGc",
"typ" : "JWT"
},
"payload" : {
"iss" : "https://codeberg.org",
"sub" : "80338",
"aud" : [ "pbe9zo81-6c2e-44ec-b8a7-6qr9xzeqb4hm" ],
"exp" : 1760083647,
"iat" : 1760080047,
"name" : "Ferdinand Mütsch",
"preferred_username" : "n1try",
"profile" : "https://codeberg.org/n1try",
"picture" : "https://codeberg.org/avatars/daba75121eed572492a42bbdbd1ab8a1974f1b179d29a0e23a9b2dba9ba119bb",
"website" : "https://muetsch.io",
"locale" : "en-US",
"updated_at" : 1757689997,
"email" : "[email protected]",
"email_verified" : true
},
"signature" : "redacted"
}GitLab
GitLab, on the other hand, only returns a single string (not an actual JWT) as the access_token and, similar to Codeberg, sends the id_token in a separate field.
Access token (access_token)
dlvjqhcw0u113nh46cqqnwzqis9g3yvd1woo4rqsje7ijg06l10rgk13uosbktbc
ID Token (id_token)
{
"header" : {
"typ" : "JWT",
"kid" : "kkCIyYrEzJpuahDA1kmtSZoJvPMY4tYM1ZcWmCviVGc",
"alg" : "RS256"
},
"payload" : {
"iss" : "https://gitlab.com",
"sub" : "9895367",
"aud" : "9f0605da522d461d3f114c34ada7b4f84028fef4b37d73d3477efccc0cc651a5",
"exp" : 1760080403,
"iat" : 1760080283,
"auth_time" : 1759692897,
"sub_legacy" : "c42b269882d4a90613ea8d64e45586e66b12a027691cabdd594b041d44ef3b0f",
"name" : "Ferdinand Mütsch",
"nickname" : "fmuetsch",
"preferred_username" : "fmuetsch",
"email" : "[email protected]",
"email_verified" : true,
"profile" : "https://gitlab.com/fmuetsch",
"picture" : "https://secure.gravatar.com/avatar/704bbee7b0efd46aff098e862f06fd908a797ebcec49a2d3085cfa65fa7f53e7?s=80&d=identicon",
"groups_direct" : [ "hitparade" ]
},
"signature" : "redacted"
}Ferriskey
Ferriskey, however, seems to embed the ID token fields inside the access_token and instead returns a plain string as the id_token.
Access token (access_token)
{
"header" : {
"typ" : "JWT",
"alg" : "RS256"
},
"payload" : {
"sub" : "0199cce0-68b8-7259-a59c-af1433fc2252",
"iat" : 1760080368,
"jti" : "6320154a-670c-4a85-a9e0-8e53b4bfbaf3",
"iss" : "http://localhost:3334/realms/master",
"typ" : "Bearer",
"azp" : "ok4zvozpsspyq7l8ufoqfymls0o6k643",
"aud" : [ "master-realm", "account" ],
"exp" : 1760080668,
"preferred_username" : "n1try",
"email" : "[email protected]",
"client_id" : null
},
"signature" : "redacted"
}ID Token (id_token)
id_token
I'm not sure if Ferriskey is behaving correctly there. If I understand this part of the spec correctly, the id_token field should, in any case, be a valid JWT, no?
Metadata
Metadata
Assignees
Type
Projects
Status