Re: Identity Platform fails with OIDC SSO integrat...

sokol8 · 12-23-2024 12:02 PM

Hi all,

I'm working on OIDC SSO integration between GCP Identity Platform and Clareity

I have successfully added OIDC Identity Provider with Code Flow by providing Issuer URL and the rest of params.

openid-configuration is accessible and is a valid JSON.

I have created a Web page according to the docs and initiate Sign in process through a pop.

Once a user authenticates within a pop-up there's an error in the GCP logs:

methodName: "google.cloud.identitytoolkit.v1.AuthenticationService.SignInWithIdp"
request: {
@type: "type.googleapis.com/google.cloud.identitytoolkit.v1.SignInWithIdpRequest"
returnIdpCredential: true
returnSecureToken: true
}

status: {
code: 3
message: "INVALID_IDP_RESPONSE : Cannot parse http response as JSON: eyJraWQiOiJiMDg3MzczYzNlMDk1YmM0N2VjZTgwZGQ2Yzg3NzgzYTcxZDBh......"
}
}

I truncated JSON from the logs for security reasons.

What is returned is a valid signed JWT which I can parse without any issues using jwt.io

This brings me to a question. Does Identity Platform expects some other kind of JSON response?

There's nothing in Google's docs about it and nothing I can find on the web.

What should I do or tell to Clareity to in order for Identity Platform to finish the SSO process?

There's too little control on the Identity Platform side so I cannot taune anything at all.

Thank you!

kensan

Hi @sokol8,

Welcome to Google Cloud Community!

Make sure that the response from Clareity is in the correct format and encoding. Some identity providers might return a base64url encoded JWT within a non-JSON response, which could lead to parsing issues for Identity Platform. Ensure the response body is valid JSON and includes the JWT as a key not just the JWT in raw form. You can check these parameters when working with OIDC providers.

The error logs indicate that Identity Platform is unable to parse the response. It's a good idea to log the response from your provider at each stage of the authentication flow to determine if the issue is related to the response format.

If Clareity is returning a valid JWT, the problem is likely with how the response is structured or wrapped. It would be beneficial to share both the error log and the response structure with Clareity's support team to ensure the response is formatted in a way that Identity Platform can process correctly.

You can also check this document for how to use Identity Platform to sign in users with an OpenID Connect (OIDC) provider.

If the issue still persists and you need further assistance, you can file a ticket with our Google Cloud Support.

Was this helpful? If so, please accept this answer as “Solution”. If you need additional assistance, reply here within 2 business days and I’ll be happy to help.

sokol8

hello @kensan

Thanks a lot for your detailed response. I am waiting for a support call with Clareity some time later this week. Then I will know if we can resolve this situation.

sokol8

Hi @kensan , we could not get OIDC to work. Clareity engineers claimed that their implementation is according to the standard and they could not change anything.

We found it easier to move to SAML - which fortunately worked out for us.

Great thanks for you previous response!

Identity Platform fails with OIDC SSO integration