OIDC against Auth0 support #580

New Issue

GiteaMirror · 2025-10-31T15:15:45-05:00

GiteaMirror commented

2025-10-31 15:15:45 -05:00

Originally created by @romancin on GitHub (Sep 17, 2025).

Hi! I am trying to enable OIDC with Auth0. It enables fine after configuring it with the parameters said in the docs, and Komodo starts successfully:

INFO: Config File Keywords: ["*config.*"]
2025-09-17T05:24:04.372789Z  INFO core: Komodo Core version: v1.19.4
2025-09-17T05:24:04.372884Z  INFO core: CoreConfig { title: "Komodo", host: "https://komodo.mydomain", port: 9120, bind_ip: "[::]", internet_interface: "", passkey: "##############", timezone: "Europe/Madrid", ui_write_disabled: false, disable_confirm_dialog: false, disable_websocket_reconnect: false, disable_init_resources: false, enable_fancy_toml: false, first_server: Some("https://komodo-periphery:8120"), first_server_name: "Local", frontend_path: "/app/frontend", database: DatabaseConfig { uri: "", address: "komodo-mongo:27017", username: "##############", password: "##############", app_name: "komodo_core", db_name: "komodo" }, local_auth: true, init_admin_username: None, init_admin_password: "##############", transparent_mode: false, enable_new_users: false, disable_user_registration: true, lock_login_credentials_for: [], disable_non_admin_create: false, jwt_secret: "##############", jwt_ttl: OneDay, oidc_enabled: true, oidc_provider: "https://romancincloud.eu.auth0.com/", oidc_redirect_host: "", oidc_client_id: "##############", oidc_client_secret: "##############", oidc_use_full_email: false, oidc_additional_audiences: ["##############", "##############"], google_oauth: OauthCredentials { enabled: false, id: "", secret: "" }, github_oauth: OauthCredentials { enabled: false, id: "", secret: "" }, webhook_secret: "##############", webhook_base_url: "", github_webhook_app: GithubWebhookAppConfig { app_id: 0, installations: [], pk_path: "/github/private-key.pem" }, logging: LogConfig { level: Info, stdio: Standard, pretty: false, location: true, otlp_endpoint: "", opentelemetry_service_name: "Komodo" }, pretty_startup_config: false, unsafe_unsanitized_startup_config: false, keep_stats_for_days: 14, keep_alerts_for_days: 14, resource_poll_interval: FiveMinutes, monitoring_interval: FifteenSeconds, aws: AwsCredentials { access_key_id: "##############", secret_access_key: "##############" }, git_providers: [], docker_registries: [], secrets: {}, ssl_enabled: false, ssl_key_file: "/config/ssl/key.pem", ssl_cert_file: "/config/ssl/cert.pem", sync_directory: "/syncs", repo_directory: "/repo-cache", action_directory: "/action-cache" }
2025-09-17T05:24:04.729150Z  INFO core::api::auth: 🔑 Local Login Enabled
2025-09-17T05:24:04.730764Z  INFO core::api::auth: 🔑 OIDC Login Enabled
2025-09-17T05:24:04.732250Z  INFO core: 🔓 Core SSL Disabled
2025-09-17T05:24:04.732285Z  INFO core: Komodo Core starting on http://[::]:9120

I can login correctly into Auth0, but after that, I have an error:

{"error":"Failed to get Oauth token","trace":["Failed to parse server response","Failed to parse payload JSON: Error(\"updated_at: data did not match any variant of untagged enum Timestamp\", line: 1, column: 528) at line 1 column 1695"]}

It seems that Auth0 returns updated_at as string, not a timestamp, and it seems other tools that implement the same library for OIDC had the same problem :
https://github.com/Timshel/vaultwarden/issues/74

Could it be fixed too in Komodo?

Thank you very much!

Originally created by @romancin on GitHub (Sep 17, 2025). Hi! I am trying to enable OIDC with Auth0. It enables fine after configuring it with the parameters said in the docs, and Komodo starts successfully: ``` INFO: Config File Keywords: ["*config.*"] 2025-09-17T05:24:04.372789Z INFO core: Komodo Core version: v1.19.4 2025-09-17T05:24:04.372884Z INFO core: CoreConfig { title: "Komodo", host: "https://komodo.mydomain", port: 9120, bind_ip: "[::]", internet_interface: "", passkey: "##############", timezone: "Europe/Madrid", ui_write_disabled: false, disable_confirm_dialog: false, disable_websocket_reconnect: false, disable_init_resources: false, enable_fancy_toml: false, first_server: Some("https://komodo-periphery:8120"), first_server_name: "Local", frontend_path: "/app/frontend", database: DatabaseConfig { uri: "", address: "komodo-mongo:27017", username: "##############", password: "##############", app_name: "komodo_core", db_name: "komodo" }, local_auth: true, init_admin_username: None, init_admin_password: "##############", transparent_mode: false, enable_new_users: false, disable_user_registration: true, lock_login_credentials_for: [], disable_non_admin_create: false, jwt_secret: "##############", jwt_ttl: OneDay, oidc_enabled: true, oidc_provider: "https://romancincloud.eu.auth0.com/", oidc_redirect_host: "", oidc_client_id: "##############", oidc_client_secret: "##############", oidc_use_full_email: false, oidc_additional_audiences: ["##############", "##############"], google_oauth: OauthCredentials { enabled: false, id: "", secret: "" }, github_oauth: OauthCredentials { enabled: false, id: "", secret: "" }, webhook_secret: "##############", webhook_base_url: "", github_webhook_app: GithubWebhookAppConfig { app_id: 0, installations: [], pk_path: "/github/private-key.pem" }, logging: LogConfig { level: Info, stdio: Standard, pretty: false, location: true, otlp_endpoint: "", opentelemetry_service_name: "Komodo" }, pretty_startup_config: false, unsafe_unsanitized_startup_config: false, keep_stats_for_days: 14, keep_alerts_for_days: 14, resource_poll_interval: FiveMinutes, monitoring_interval: FifteenSeconds, aws: AwsCredentials { access_key_id: "##############", secret_access_key: "##############" }, git_providers: [], docker_registries: [], secrets: {}, ssl_enabled: false, ssl_key_file: "/config/ssl/key.pem", ssl_cert_file: "/config/ssl/cert.pem", sync_directory: "/syncs", repo_directory: "/repo-cache", action_directory: "/action-cache" } 2025-09-17T05:24:04.729150Z INFO core::api::auth: 🔑 Local Login Enabled 2025-09-17T05:24:04.730764Z INFO core::api::auth: 🔑 OIDC Login Enabled 2025-09-17T05:24:04.732250Z INFO core: 🔓 Core SSL Disabled 2025-09-17T05:24:04.732285Z INFO core: Komodo Core starting on http://[::]:9120 ``` I can login correctly into Auth0, but after that, I have an error: ``` {"error":"Failed to get Oauth token","trace":["Failed to parse server response","Failed to parse payload JSON: Error(\"updated_at: data did not match any variant of untagged enum Timestamp\", line: 1, column: 528) at line 1 column 1695"]} ``` It seems that Auth0 returns updated_at as string, not a timestamp, and it seems other tools that implement the same library for OIDC had the same problem : https://github.com/Timshel/vaultwarden/issues/74 Could it be fixed too in Komodo? Thank you very much!

GiteaMirror added the bug label 2025-10-31 15:15:45 -05:00

GiteaMirror commented

2025-10-31 15:15:46 -05:00

@mbecker20 commented on GitHub (Sep 17, 2025):

Thanks for pointing this out, the issue seems to be in the upstream OIDC library openidconnect, specifically here: b639b5d39e/src/claims.rs (L87)

@mbecker20 commented on GitHub (Sep 17, 2025): Thanks for pointing this out, the issue seems to be in the upstream OIDC library `openidconnect`, specifically here: https://github.com/ramosbugs/openidconnect-rs/blob/b639b5d39eac6903238867aeb2b29326502e6b26/src/claims.rs#L87

GiteaMirror commented

2025-10-31 15:15:46 -05:00

@romancin commented on GitHub (Sep 18, 2025):

I think the OIDC specification takes that parameter as timestamp, so I think the library is fine, as it is compliant against the official one. The problems seems to be that Auth0 defined it as a String because it was developed before the OIDC spec was GA.

@romancin commented on GitHub (Sep 18, 2025): I think the OIDC specification takes that parameter as timestamp, so I think the library is fine, as it is compliant against the official one. The problems seems to be that Auth0 defined it as a String because it was developed before the OIDC spec was GA.

GiteaMirror commented

2025-10-31 15:15:46 -05:00

@romancin commented on GitHub (Sep 18, 2025):

It seems the library fixed this issue: https://github.com/ramosbugs/openidconnect-rs/issues/136#issuecomment-3042211814

https://github.com/search?q=repo%3Aramosbugs%2Fopenidconnect-rs%20accept-rfc3339-timestamps&type=code

But I don't know how to use this :(

@romancin commented on GitHub (Sep 18, 2025): It seems the library fixed this issue: https://github.com/ramosbugs/openidconnect-rs/issues/136#issuecomment-3042211814 https://github.com/search?q=repo%3Aramosbugs%2Fopenidconnect-rs%20accept-rfc3339-timestamps&type=code But I don't know how to use this :(

GiteaMirror commented

2025-10-31 15:15:47 -05:00

@romancin commented on GitHub (Sep 19, 2025):

If it helps to anyone, I solved it from Auth0 side, using a Custom post-login action that overwrites update_at. Really awful thing, but it works:

exports.onExecutePostLogin = async (event, api) => {
  const { updated_at } = event.session;

  api.idToken.setCustomClaim('updated_at', new Date(Date.parse("updated_at")));
  api.accessToken.setCustomClaim('updated_at', new Date(Date.parse("updated_at")));
};

@romancin commented on GitHub (Sep 19, 2025): If it helps to anyone, I solved it from Auth0 side, using a Custom post-login action that overwrites update_at. Really awful thing, but it works: ``` exports.onExecutePostLogin = async (event, api) => { const { updated_at } = event.session; api.idToken.setCustomClaim('updated_at', new Date(Date.parse("updated_at"))); api.accessToken.setCustomClaim('updated_at', new Date(Date.parse("updated_at"))); }; ```

GiteaMirror referenced this issue

2025-10-31 15:20:46 -05:00

[PR #566] [MERGED] 1.18.1 #749

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/komodo#580