Claim header values are encoded in UTF-8 character set as opposed to ISO-8859-1 character set #957
Replies: 2 comments 5 replies
-
|
thanks, I agree, it seems to make sense to have an option for ISO-8559-1 encoding at least; I'm willing to give this a try, would you be able to test and if so, for what platform (f not building from source) you'd need binaries? |
Beta Was this translation helpful? Give feedback.
-
|
Thanks, @zandbelt, we will need rpm binaries for CentOS 7 for testing. |
Beta Was this translation helpful? Give feedback.
-
|
ok, please try https://www.mod-auth-openidc.org/downloads/mod_auth_openidc-2.4.12.1rc4-1.el7.x86_64.rpm and set: OIDCPassClaimsAs headers latin1 |
Beta Was this translation helpful? Give feedback.
-
|
Confirming that using We are currently using |
Beta Was this translation helpful? Give feedback.
-
|
in the commit to master, the encoding applies to environment variables as well now (which it did not in your build); is that desirable or would you disagree? |
Beta Was this translation helpful? Give feedback.
-
|
Right, however keeping both in the same encoding does make sense and keeps things uniform across the board. Thanks for the quick fix @zandbelt |
Beta Was this translation helpful? Give feedback.
-
We are using the claim headers being injected by mod_auth_openidc plugin for authenticated requests in our service which is deployed on apache tomcat.
What we noticed is mod_auth_openidc plugin is encoding the value as per the UTF-8 character set as opposed to the ISO-8859-1 character set which is causing the problem.
As per RFC standard, By default, message header field parameters in Hypertext Transfer Protocol (HTTP) messages cannot carry characters outside the ISO-8859-1 character set(Reference - https://www.rfc-editor.org/rfc/rfc5987)
Apache Tomcat is properly decoding the values in ISO-8859-1 character set as per specification but since it receives the claim header from mod_auth_openidc plugin which are in UTF-8 character set, the wrong value is being interpreted by the application.
For example, say we have a user with the first name as GÜnther in IDP then mod_auth_openidc sends the header OIDC_FIRSTNAME with value G\xc3\x9cnther (This is encoded in UTF-8 character set) to the application which decodes it to GÃ�nther using ISO-8859-1 character set causing mentioned issue.
Thus, we think that encoding for header values needs to be changed to ISO-8859-1 character set on mod_auth_openidc however if you are reluctant to change the implementation, it would be great if you can give us the option to choose the encoding we want to use and keep the UTF-8 encoding as the default behavior.
Beta Was this translation helpful? Give feedback.
All reactions