5.0.15 : JWT OpenID Okta Issues

PowerShell Universal
1 
Product: PowerShell Universal
Version: 5.0.15

Hello !

Since I started using PSU 5.0.15 I have issues calling endpoint with okta OpenID bearer tokens, keep receiving this message

An exception was thrown while attempting to evaluate the LINQ query parameter expression 'value(PowerShellUniversal.Authentication.IntegratedAuthCache+<>c__DisplayClass6_0).claimsPrincipal.Identity.Name.ToLower()'. See the inner exception for more information.

Inner exception looks like this :

[ERR][Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddleware] An unhandled exception has occurred while executing the request.
System.InvalidOperationException: An exception was thrown while attempting to evaluate the LINQ query parameter expression 'value(PowerShellUniversal.Authentication.IntegratedAuthCache+<>c__DisplayClass6_0).claimsPrincipal.Identity.Name.ToLower()'. See the inner exception for more information.
 ---> System.NullReferenceException: Object reference not set to an instance of an object.
   at System.Object.GetType()
   at System.Linq.Expressions.Interpreter.FuncCallInstruction`2.Run(InterpretedFrame frame)
   at System.Linq.Expressions.Interpreter.Interpreter.Run(InterpretedFrame frame)
   at System.Linq.Expressions.Interpreter.LightLambda.Run(Object[] arguments)
   at System.Dynamic.Utils.DelegateHelpers.FuncThunk[TReturn](Func`2 handler)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.GetValue(Expression expression, String& parameterName)
   --- End of inner exception stack trace ---
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.GetValue(Expression expression, String& parameterName)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.Evaluate(Expression expression, Boolean generateParameter)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.Visit(Expression expression)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.VisitBinary(BinaryExpression binaryExpression)
   at System.Linq.Expressions.ExpressionVisitor.VisitLambda[T](Expression`1 node)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.Visit(Expression expression)
   at System.Linq.Expressions.ExpressionVisitor.VisitUnary(UnaryExpression node)
   at System.Dynamic.Utils.ExpressionVisitorUtils.VisitArguments(ExpressionVisitor visitor, IArgumentProvider nodes)
   at System.Linq.Expressions.ExpressionVisitor.VisitMethodCall(MethodCallExpression node)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.VisitMethodCall(MethodCallExpression methodCallExpression)
   at Microsoft.EntityFrameworkCore.Query.Internal.ParameterExtractingExpressionVisitor.ExtractParameters(Expression expression, Boolean clearEvaluatedValues)
   at Microsoft.EntityFrameworkCore.Query.Internal.QueryCompiler.Execute[TResult](Expression query)
   at PowerShellUniversal.Extensibility.EFTable`2.FirstOrDefault(Expression`1 predicate) in C:\actions-runner\_work\universal\universal\src\PowerShellUniversal.Extensibility\Persistence\EFTable.cs:line 499
   at PowerShellUniversal.Authentication.IntegratedAuthCache.CreateContext(ClaimsPrincipal claimsPrincipal) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\Authentication\IntegratedAuthCache.cs:line 50
   at Universal.Server.Services.ApiService.ExecuteAsync(HttpContext httpContext) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Services\API\ApiService.cs:line 420
   at Universal.Server.Middleware.RoutingMiddleware.Invoke(HttpContext httpContext, IPolicyEvaluator policyEvaluator) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\RoutingMiddleware.cs:line 128
   at PowerShellUniversal.PSUMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\PowerShellMiddleware.cs:line 43
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Swashbuckle.AspNetCore.SwaggerUI.SwaggerUIMiddleware.Invoke(HttpContext httpContext)
   at Swashbuckle.AspNetCore.Swagger.SwaggerMiddleware.Invoke(HttpContext httpContext, ISwaggerProvider swaggerProvider)
   at Universal.Server.Middleware.WindowsAuthMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\WindowsAuthMiddleware.cs:line 58
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at Universal.Server.Middleware.SwaggerAuthenticationMiddleware.InvokeAsync(HttpContext context, RequestDelegate next) in C:\actions-runner\_work\universal\universal\src\Universal.Server\Middleware\SwaggerAuthMiddleware.cs:line 51
   at Microsoft.AspNetCore.Builder.UseMiddlewareExtensions.InterfaceMiddlewareBinder.<>c__DisplayClass2_0.<<CreateMiddleware>b__0>d.MoveNext()
--- End of stack trace from previous location ---
   at AspNetCoreRateLimit.RateLimitMiddleware`1.Invoke(HttpContext context) in C:\actions-runner\_work\universal\universal\src\AspNetCoreRateLimit\Middleware\RateLimitMiddleware.cs:line 109
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Session.SessionMiddleware.Invoke(HttpContext context)
   at Microsoft.AspNetCore.Diagnostics.ExceptionHandlerMiddlewareImpl.<Invoke>g__Awaited|10_0(ExceptionHandlerMiddlewareImpl middleware, HttpContext context, Task task)

@adam could you please take a look at it ? Do you want me to issue a ticket as well ?

2

@adam : I found a way to fix this issue. I added to OKTA Claims the following :

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

this value seems to be what you’re looking for in your code, based on PSU Generated tokens. As soon as this value is set with the email address for instance, the identity gets created in PSU and things works.

In addition I noticed that I could as well use :

http://schemas.microsoft.com/ws/2008/06/identity/claims/role

To provide a role to the Okta generated JWT and thus make a use of this role with PSU defined roles and thus limit access to endpoint with PSU roles coming from JWT.

Do you think it could be possible to use other values than those schema URL to do the same ?