Dear SOGo community,When attempting to connect SOGo v5.12.1.20250514-1 to a Shibboleth IdP v5.1.4 (with the corresponding OIDC extensions) via OIDC, an error occurs after successful authentication at the IdP, specifically when reading the IDP's JSON-encoded access token:
... Jun 02 14:26:00 sogod [9041]: |SOGo| starting method 'GET' on uri '/SOGo/' Jun 02 14:26:00 sogod [9041]: <0x0x55771ad497b0[SOGoCache]> Cache cleanup interval set every 900.000000 seconds Jun 02 14:26:00 sogod [9041]: <0x0x55771ad497b0[SOGoCache]> Using host(s) 'local-databasehost' as server(s)Jun 02 14:26:00 sogod [9041]: [WARN] <0x0x7f165075a0a0[WOxElemBuilder]> could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder 2025-06-02 14:26:00.146 sogod[9041:9041] OpenId perform request: GET https://idp-test.uni-konstanz.de/.well-known/openid-configuration
2025-06-02 14:26:00.146 sogod[9041:9041] OpenId perform request, headers (null) Jun 02 14:26:00 sogod [9041]: |SOGo| request took 0.077746 seconds to execute Jun 02 14:26:00 sogod [9041]: 134.34.1.225 "GET /SOGo/ HTTP/1.1" 302 0/0 0.080 - - 4M - 12Jun 02 14:26:03 sogod [9041]: |SOGo| starting method 'GET' on uri '/SOGo/?code=AAdzZWNyZXQx0z5lOmUazw5cRA5mnbGMz6fdZdkiR9U5Xt4JXLUMTPVUSo6rwTLJ92NZmyCDvtwLbhxZL-9-Q18yug7EQo9tkZQqwz_iAmzDmcWht2LaBTDv8NbPAmZnjLR7KvGeZfbbFmtUBkC_CKDWT-rKcO_43
Bk08pElVSaAnGi3wYbYqIojFu6NSFTDlEYqPJWbNNEFJ9kHphKos2_BxE3V9XEY3JCEOsDAVLD61TZ4XeZJu2K5kMYp7_vKiwWGKfWlwRveZVo4sUNHZF38E7r3SefYZCfC6EXw6y2OCBQisrVYshOto2-lmshGfVrOTRiqgsMkqXQBmLvUA-JnhjHbl85s4vuwJChLqal8Sj4l6flPB4DjfqviyyWLdawK6CbeuuaQaYh7T H-FAU4AUhJ1PyliEhF9vsBlnbnFcRcZ3xbry6j_1o1X8BrwUOItkr0Rbhzu-JEe2aZqask1S4tG9w'2025-06-02 14:26:03.742 sogod[9041:9041] OpenId perform request: POST https://idp-test.uni-konstanz.de/idp/profile/oidc/token 2025-06-02 14:26:03.742 sogod[9041:9041] OpenId perform request, headers {"content-type" = "application/x-www-form-urlencoded"; } Jun 02 14:26:08 sogod [9041]: [ERROR] <0x0x55771ae86b50[GSCBufferString]> json parser: Expected value while parsing array, attempting once more after unescaping...
Jun 02 14:26:08 sogod [9041]: [ERROR] <0x0x55771ae86b50[GSCBufferString]> total
failure. Original string is: 5f1
{"access_token":"AAdzZWNyZXQxfGtCCm6tx0EsDPT8I8UUsLFK_mhmbX1PCKkBOQSFzRir2YR_HZ6zCR1GN6hE4YXLjDDwIXplia3-9fjewVOO584Dwi4GO-xXwhrDUztSZs576GPSWyJoPrfYSabD1NDHXNBjo4oq6Is2NlIymqEgUIZGQ9iR-xvonAzNdagETD8F0wpXvTjqAeIXJck5irk_QRm9Se2r2EozCHvGTdJ
aAu5UJg3Mrgkry4OzUe_at0KLlwZB1g1CS31DCVH_XdtmRqpwzMV7UDGuKdJNuscuaC3ss2g7rhanNH9WHi_lwzFawjP84R03bJ3A2kwjSKQx4rOt1IP-soFzcYs_Bgb0lTUumfTWhVI2s9BCOcnIhalprfA_2_jzuMm806Anm2nxC__wLT9qKeIUf1dUW1V2lqhYYDVJI0ytm2V-5CbmJ5_Eh_rlc3HWWEI8GhQ_aS30lII
LO3G6qi0_KJnfY9U","scope":"openid profile
email","id_token":"eyJraWQiOiJkZWZhdWx0UlNBU2lnbiIsImFsZyI6IlJTNTEyIn0.eyJhdF9oYXNoIjoiTnJBYnZ0RHBSRFMxNzNGbTg3dHl4SlZuSnVxMHRBRjBLc0pMSF9xSDJadyIsInN1YiI6ImZiNGVkZDdmN2IyNDc5ODY3NDNiYzQ3NDM4NTUzZDU
wIiwiYXVkIjoiX2ExM2ExZmMyMjg5N2Q0MzgxOWZhMGUxY2VmZjExMWNjIiwiYXV0aF90aW1lIjoxNzQ4ODY3MTYzLCJpc3MiOiJodHRwczovL2lkcC10ZXN0LnVuaS1rb25zdGFuei5kZSIsImV4cCI6MTc0ODg3MDc2MywiaWF0IjoxNzQ4ODY3MTYzLCJzaWQiOiJfOGU4NDNhZTA2NWMyMzVmNDk4YjRjMTcwZTY4NDU 5MGUifQ.igdDiKChakVUth0PhqgpUoqTbDudac3RX7oXsRJhxwVZ0Tr-yjqzjIDSsKGKXdLluQtsEtv9h6uEeH98msw5L7a28HOjMd53cD1gQP1D7U2wOqqv8i4c3bLJb_GPlSNFBtLpIw1MrO-g5p8M_Bnf3CXx3HTgW45gIi3q6B4gQtFaMf_fbeWTsf2Jy7oSMQvi4R9VwsQIa_qY-OirTYaLY5c35wIaNfENQG_8SxZ6 xz7LFZVCkjmSJRXug6pjeorfHzVmj9T2rY7GHseEkZdoXEnkjP5dnruscKbd4IEMvlxvBTIFA1fWpIBabWVG3O4IN8gJG_9RfEdZ3iaB1YUD8UDJGmiYnRXmzjHJSEjetBvYAucpb_reSjrPwqhz-K4iYrS_5QRtjB0PGnWJDkRAjEch2pI9ttKY4HoNAFANjt4f7zd_mK81qlkwEcyOZIdoXOJAy7QGPNtDwNI_p-aAKfoT SLYnWB_8uBJh46AhkT3r17iHty4vEstcFvhIijVQ","token_type":"Bearer","expires_in":600} 0 2025-06-02 14:26:08.884 sogod[9041:9041] fetch token response: (null)2025-06-02 14:26:08.884 sogod[9041:9041] OpenId perform request: GET https://idp-test.uni-konstanz.de/idp/profile/oidc/userinfo 2025-06-02 14:26:08.884 sogod[9041:9041] OpenId perform request, headers {authorization = "Bearer (null)"; "content-type" = "application/x-www-form-urlencoded"; } Jun 02 14:26:08 sogod [9041]: <0x55771ae9fa90[SOGoOpenIdSession]:(null)> Error during fetching the token (status 401), response: <0x0x55771ae659c0[WOResponse]: status=401 headers={"cache-control" = "no-store"; "content-length" = 0; date = " Mon, 02 Jun 2025 12:26:08 GMT"; server = "Apache/2.4.62 (Debian)"; "strict-transport-security" = "max-age=63072000;includeSubDomains; preload"; via = "1.1 idp-test.uni-konstanz.de"; "www-authenticate" = "Bearer error=\"invalid_token\", erro r_description=\"Invalid access token\""; "x-content-type-options" = nosniff; "x-frame-options" = SAMEORIGIN; } empty-content> Jun 02 14:26:08 sogod [9041]: [ERROR] <0x55771ae9fa90[SOGoOpenIdSession]:(null)> Can't get user email from profile because: http-error
... Then these errors and the related log messages repeat themselves until either IDP or SOGo cancels the connection. We encountered the same error: "json parser: Expected value while parsing array, attempting once more after unescaping..."once before when SOGo was unable to read the OIDC service description from the IDP. As a result, the IDP admin simply moved the JSON file from the Tomcat server (where the IDP application is running) to the Apache2 server for download.
That worked well for the service description, but I don't believe this workaround is suitable, or even possible, for delivering the access token. I suspect that the IDP encodes certain special characters in JSON in a way that the JSON parser in SOGo cannot read. I further suspect that the solution might be in the configuration of the Tomcat server or in the configuration of the OIDC plugins of the IDP, in order to deliver a JSON file in which the special characters are represented in plain text and not escaped, allowing SOGo to read them without any error. Or does this issue need to be solved on the SOGo side, for example by using a specific configuration option or a more recent JSON parser?
I have configured the connection to the IDP over OIDC as follows:
{
// Set authentication to OpenID
SOGoAuthenticationType = openid;
SOGoOpenIDDebugEnabled = "YES";
// OIDC sessions in DB
OCSOpenIdURL =
"postgresql://sogo:top_secret@ha-postgres:5432/sogo/sogo_openid";
// Create a new client in keycloak with Client authentication and Standard
flow enabled and add credentials below
SOGoOpenIdConfigUrl =
"https://idp-test.uni-konstanz.de/.well-known/openid-configuration";;
SOGoOpenIdClient = "top_secret";
SOGoOpenIdClientSecret = "top_secret";
SOGoOpenIdScope = "openid profile email";
// This is the key withing the OpenID scope that will later be used to
lookup the user in the LDAP directory
// SOGoOpenIdEmailParam = "mail";
SOGoOpenIdEnableRefreshToken = YES;
SOGoOpenIdTokenCheckInterval = 30;
SOGoOpenIdLogoutEnabled = YES;
SOGoXSRFValidationEnabled = NO;
...
}
Apart from the IMAP server communication, which will be developed in the near future once this issue is hopefully
resolved, did I do something wrong or overlook anything in the configuration of the communication with the IdP?
I'd appreciate your help. Markus Grandpré -- Markus Grandpré Universität Konstanz Kommunikations-, Informations- und Medienzentrum (KIM) Abteilung IT-Dienste Forschung, Lehre und Infrastruktur Sachgebiet Diensteadministration Tel: ++49 7531 88 4342
smime.p7s
Description: Kryptografische S/MIME-Signatur
