Unable to sign in with Auth0

[akshay196]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe the bug

When trying to login in with Auth0 provider, getting internal error and not able to login. The error is reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64, check below for full stack trace. It seems Unmarshaling to Claims failed due to string type of update_at. Also noticed the issue is already fixed in #609, but I don't understand why we are converting the correct int64 type of udpatedAt back to string (which might be the cause of this error). I am happy to contribute to fix this.

Reproducing the bug

Steps to reproduce the behavior:

1. Follow quickstart guide to start Kratos locally.
2. Follow this guide to setup Auth0 provider, add provider entry in Auth0 and use Jsonnet code snippet given.
3. Once you try to sign in with Auth0 provider you will get error as specified here.
4. Also get following error on self-service UI
   

Relevant log output

kratos_1                      | time=2022-05-23T04:58:22Z level=error msg=An error occurred and is being forwarded to the error user interface. func=github.com/ory/x/logrusx.(*Logger).Logf file=/go/pkg/mod/github.com/ory/x@v0.0.358/logrusx/helper.go:118 audience=application error=map[debug: message:An internal server error occurred, please contact the system administrator reason:json: cannot unmarshal string into Go struct field Claims.updated_at of type int64 stack_trace:
kratos_1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*ProviderAuth0).Claims
kratos_1                      | 	/project/selfservice/strategy/oidc/provider_auth0.go:145
kratos_1                      | github.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback
kratos_1                      | 	/project/selfservice/strategy/oidc/strategy.go:330
kratos_1                      | github.com/ory/kratos/selfservice/strategy.disabledWriter
kratos_1                      | 	/project/selfservice/strategy/handler.go:25
kratos_1                      | github.com/ory/kratos/selfservice/strategy.IsDisabled.func1
kratos_1                      | 	/project/selfservice/strategy/handler.go:30
kratos_1                      | github.com/ory/kratos/x.NoCacheHandle.func1
kratos_1                      | 	/project/x/nocache.go:18
kratos_1                      | github.com/ory/kratos/x.NoCacheHandle.func1
kratos_1                      | 	/project/x/nocache.go:18
kratos_1                      | github.com/julienschmidt/httprouter.(*Router).ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387
kratos_1                      | github.com/ory/nosurf.(*CSRFHandler).handleSuccess
kratos_1                      | 	/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234
kratos_1                      | github.com/ory/nosurf.(*CSRFHandler).ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191
kratos_1                      | github.com/urfave/negroni.Wrap.func1
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46
kratos_1                      | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
kratos_1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos_1                      | github.com/ory/kratos/x.glob..func1
kratos_1                      | 	/project/x/clean_url.go:12
kratos_1                      | github.com/urfave/negroni.HandlerFunc.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29
kratos_1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1
kratos_1                      | 	/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:198
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1
kratos_1                      | 	/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:101
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1
kratos_1                      | 	/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:68
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2
kratos_1                      | 	/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:76
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1
kratos_1                      | 	/go/pkg/mod/github.com/prometheus/client_golang@v1.11.0/prometheus/promhttp/instrument_server.go:165
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1
kratos_1                      | 	/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/metrics.go:108
kratos_1                      | net/http.HandlerFunc.ServeHTTP
kratos_1                      | 	/usr/local/go/src/net/http/server.go:2047
kratos_1                      | github.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/ory/x@v0.0.358/prometheusx/middleware.go:30
kratos_1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38
kratos_1                      | github.com/ory/x/metricsx.(*Service).ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/ory/x@v0.0.358/metricsx/middleware.go:275
kratos_1                      | github.com/urfave/negroni.middleware.ServeHTTP
kratos_1                      | 	/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38 status:Internal Server Error status_code:500] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en-GB,en-US;q=0.9,en;q=0.8 cache-control:max-age=0 connection:keep-alive cookie: <redacted> host:127.0.0.1:4433 method:GET path:/self-service/methods/oidc/callback/auth001 query:code=<redacted> remote:172.20.0.1:57888 scheme:http] service_name=Ory Kratos service_version=v0.9.0-alpha.3

Relevant configuration

selfservice:
  default_browser_return_url: http://127.0.0.1:4455/
  allowed_return_urls:
    - http://127.0.0.1:4455

  methods:
    password:
      enabled: true
    oidc:
      enabled: true
      config:
        providers:
          - provider: auth0
            id: auth001
            client_id: <redacted>
            client_secret: <redacted>
            mapper_url: file:///etc/config/kratos/oidc.auth0.jsonnet
            scope:
              - email
              - profile
              - openid
            issuer_url: https://<redacted>.auth0.com/

Version

kratos:v0.9.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response

[vinckr]

Thanks for reporting!
I would see to reproduce this before we make changes. Is a free tier on auth0 enough to reproduce?

[akshay196]

Thanks for reporting! I would see to reproduce this before we make changes. Is a free tier on auth0 enough to reproduce?

Yes. I have been using basic starter plan of Auth0 with no cost.

[aeneasr]

That is strange, I thought we have an explicit workaround for that!

kratos/selfservice/strategy/oidc/provider_auth0.go

Lines 95 to 107 in 617949c

	// There is a bug in the response from Auth0. The updated_at field may be a string and not an int64.
	// https://community.auth0.com/t/oidc-id-token-claim-updated-at-violates-oidc-specification-breaks-rp-implementations/24098
	// We work around this by reading the json generically (as map[string]inteface{} and looking at the updated_at field
	// if it exists. If it's the wrong type (string), we fill out the claims by hand.
	// Once auth0 fixes this bug, all this workaround can be removed.
	b, err := ioutil.ReadAll(resp.Body)
	if err != nil {
	return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("%s", err))
	}
	// Force updatedAt to be an int if given as a string in the response.
	if updatedAtField := gjson.GetBytes(b, "updated_at"); updatedAtField.Exists() {

Any idea why that's not working?

[aeneasr]

Ah yeah, the problem is that the int is formatted into a string here:

kratos/selfservice/strategy/oidc/provider_auth0.go

Line 125 in 617949c

data["updated_at"] = strconv.FormatInt(updatedAt, 10)