PocketID: Access to claims does not work

[meerumschlungen]

First, thank you for your great project!
I'm struggling to get claims work with PocketID. I can't figure out what's wrong with my configuration. This is a simulation to get out as much information as possible.

My middleware:

http:
  middlewares:
    oidc-test:
      plugin:
        traefik-oidc-auth:
          LogLevel: DEBUG
          Secret: SC9JQatvDUC4j5y9mvI9y0LJ0jx9yduH
          Provider:
            Url: https://idp.example.com
            ClientId: 881af94c-b643-4a4e-a5ed-3c6d3f9316f2
            ClientSecret: Shjc2VwkMPUwvlSAhqdolyCZwb3x52Sh
            # UsePkce: true
          TokenValidation: "IdToken"
          Scopes: ["openid", "profile", "email", "groups"]
          Headers:
            - Name: X-Access-Token
              Value: "{{`{{ .accessToken }}`}}"
            - Name: X-Id-Token
              Value: "{{`{{ .idToken }}`}}"
            - Name: X-Refresh-Token
              Value: "{{`{{ .refreshToken }}`}}"
            - Name: Remote-User
              Value: "{{`{{ .claims.preferred_username }}`}}"
            - Name: Remote-Name
              Value: "{{`{{ .claims.name }}`}}"
            - Name: Remote-Email
              Value: "{{`{{ .claims.email }}`}}"
            - Name: X-Claims
              Value: "{{`{{ .claims }}`}}"

The incoming request at the target service looks like this:

GET / HTTP/1.1
Host: test.example.com
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Referer: https://idp.example.com/
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-site
User-Agent: Mozilla/5.0 (Mac...
X-Access-Token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlEzSEFNTUZIb2ZzIiwidHlwIj...
X-Forwarded-For: 10.0.3.3
X-Forwarded-Host: test.example.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 328e4e871a44
X-Id-Token: eyJhbGciOiJSUzI1NiIsImtpZCI6IlEzSEFNTUZIb2Z...
X-Real-Ip: 10.0.3.3
X-Refresh-Token: nQ4qaQZnTcMZBIP6gr...
Remote-Email: <no value>
Remote-Name: <no value>
Remote-User: <no value>
X-Claims: map[aud:[881af94c-b643-4a4e-a5ed-3c6d3f9316f2] exp:1.747128518e+09 iat:1.747124918e+09 iss:https://idp.example.com sub:decf2fdc-b657-4c81-875b-56c42622a14f type:oauth-access-token]

Though I'm requesting the profile-scope and set TokenValidation to "IdToken" according to the docs but the claims do not include any profile information (see the X-Claims Header).
The Debug log of traefik-oidc-auth has no further insights despite logging the flow redirections.
Can you point me in the right direction why this is the case?

[sevensolutions]

Hi @meerumschlungen,
if you forward the access- and it token like this to the whoami container,

Headers:
  - Name: X-Access-Token
    Value: "{{`{{ .accessToken }}`}}"
  - Name: X-Id-Token
    Value: "{{`{{ .idToken }}`}}"

you can then copy the JWT token you received and paste it into https://jwt.io to see which claims it contains.

[meerumschlungen]

Thanks for the hint. The same ID token from the example before looks good. It contains all profile and group information. So the issue seems to be that the claims are not cleanly transferred to the object which is used for the go template.

[sevensolutions]

Ok, can you please show me the structure of the token for the profile and role information?
I will try to reproduce it.

[sevensolutions]

Ah i see you also mapped the entire claim object into a header and it looks like it is always using the access token here instead of the configured one (IdToken) in your case.
I will play around with that and maybe create an issue for this.

[meerumschlungen]

It cost me about a day of debugging and in the end I figured out. It was a nesting problem of the TokenValidation property which is part of the Provider object:
Not working:

http:
  middlewares:
    oidc-test:
      plugin:
        traefik-oidc-auth:
          Secret: ...
          Provider:
            Url: https://...
            ClientId: ...
            ClientSecret: ...
          TokenValidation: "IdToken" # <-----------

Working:

http:
  middlewares:
    oidc-test:
      plugin:
        traefik-oidc-auth:
          Secret: ...
          Provider:
            Url: https://...
            ClientId: ...
            ClientSecret: ...
            TokenValidation: "IdToken" # <-----------

[meerumschlungen]

@sevensolutions Thanks for your efforts!

[sevensolutions]

Oh, i also overlooked that in your config.
Glad you solved it 👍