Exception on empty scopes

[superdupershant]

Hi All, not sure if the behavior is intended but we've noticed that if there is an empty scope i.e. a scope is in the message but it is an empty string instead of a string or an array, then there is an indexoutofbounds exception in message.py

Is this a bug or should scopes never be empty? We're using keycloak and there certain scope around group membership which produce empty scope.

[schlenk]

Can you provide the traceback?

[superdupershant]

See below while the key exists for the scope "groups" it's value is empty and the error ends up coming from the array access val[0]

/usr/lib/python2.7/site-packages/oic/oauth2/message.py in to_dict
elif isinstance(val, list) and isinstance(val[0], Message):

Here's the data:
null_allowed
False
key
u'groups'
val
[]
_spec
{'_claim_names': (<class 'oic.oauth2.message.Message'>,
False,
<function msg_ser at 0x7f33b092fe60>,
<function message_deser at 0x7f33b092fde8>,
False),
'_claim_sources': (<class 'oic.oauth2.message.Message'>,
False,
<function msg_ser at 0x7f33b092fe60>,
<function message_deser at 0x7f33b092fde8>,
False),
'address': (<class 'oic.oauth2.message.Message'>,
False,
<function msg_ser at 0x7f33b092fe60>,
<function address_deser at 0x7f33b092fcf8>,
False),
'birthdate': (<type 'basestring'>, False, None, None, False),
'email': (<type 'basestring'>, False, None, None, False),
'email_verified': (<type 'bool'>, False, None, None, False),
'family_name': (<type 'basestring'>, False, None, None, False),
'gender': (<type 'basestring'>, False, None, None, False),
'given_name': (<type 'basestring'>, False, None, None, False),
'locale': (<type 'basestring'>, False, None, None, False),
'middle_name': (<type 'basestring'>, False, None, None, False),
'name': (<type 'basestring'>, False, None, None, False),
'nickname': (<type 'basestring'>, False, None, None, False),
'phone_number': (<type 'basestring'>, False, None, None, False),
'phone_number_verified': (<type 'basestring'>, False, None, None, False),
'picture': (<type 'basestring'>, False, None, None, False),
'preferred_username': (<type 'basestring'>, False, None, None, False),
'profile': (<type 'basestring'>, False, None, None, False),
'sub': (<type 'basestring'>, True, None, None, False),
'updated_at': (<type 'int'>, False, None, None, False),
'website': (<type 'basestring'>, False, None, None, False),
'zoneinfo': (<type 'basestring'>, False, None, None, False)}
self
<oic.oic.message.OpenIDSchema object at 0x7f33b1400c50>
req
False
_res
{'family_name': u'Test',
'given_name': u'User',
'preferred_username': u'usertest',
'sub': u'56c704d6-466b-4bfd-af50-c0c8880d6453'}
lev
1
_ser
None
_
None

[schlenk]

Looks like a bug to me, yes. The base class should handle an empty list. Not sure about empty scopes, but at least the message handling is wrong.

[rohe]

If you're doing OIDC then scope MUST have at least one value (=='oidc').
OAuth2 has no such limitations.
You should get a VerifyError for the message rather then an indexOutOfBounds.

[rohe]

Hmm, VerifyError you can only get when you import into a Message instance not when your converting to some other format. So not applicable here.

[schlenk]

'scope' here is probably the wrong keyword.
The problem here seems to be one of the extra claims that keycloak sends, which may have an empty value.
It is a claim with the empty JSON string as Claim Value, which is legal according to the JWT spec.

[rohe]

So where is the problem ?
In parsing something something received or producing a dictionary from an existing Message instance ?
The mention of to_dict made me believe it was the later but what you're say is that it's the former.
Also I think the line @superdupershant refers to is not there anymore.
So I don't know if the problem still exits.

[thekidfromoak]

Appears to have been fixed in #411

[tpazderka]

OK, closing then.