Change warn to debug when parsing non-string array claim element in oidc_util_set_app_infos

[nclarkau]

We have a claim (roles) in the ID token that is an array of objects and this is triggering a warning on every request as they cannot be parsed.

"roles": [
    {
        "type": "xxxxxxxxxxxxxxx",
        "value": "xxxxxxxxxxxxxxx"
    },
    {
        "type": "xxxxxxxxxxxxxxx",
        "value": "xxxxxxxxxxxxxxx"
    }
],

This means we get a tsunami of warnings since all sessions/tokens contain the same claim structure. If we try to reduce the log levels for this module we miss out on other much more useful warnings.

[Fri Jul 19 06:52:57.034856 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034853 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034698 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.034695 2024] [auth_openidc:warn] [pid 1660885:tid 140259236984576] [client 10.42.193.122:46422] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.003063 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.003060 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.002909 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:57.002905 2024] [auth_openidc:warn] [pid 1660886:tid 140259270555392] [client 10.42.193.122:12408] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:56.778863 2024] [auth_openidc:warn] [pid 1660885:tid 140259245377280] [client 10.42.193.53:34374] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx
[Fri Jul 19 06:52:56.778863 2024] [auth_openidc:warn] [pid 1660885:tid 140259245377280] [client 10.42.193.53:34374] oidc_util_set_app_infos: unhandled in-array JSON object type [0] for key "roles" when parsing claims array elements, referer: xxxx

It kind of goes against principles of log level verbosity where warnings should be infrequent and not on every transaction/request. As I suspect in most cases, just like we have found, if this condition is met its highly likely to be met on all requests.

code reference:

mod_auth_openidc/src/util.c

Line 1625 in 94f832f

oidc_warn(r,

Could this please be changed to debug instead of warn?

[zandbelt]

How about blacklisting the claim with OIDCBlackListedClaims or even better, have the IDP not issue unused claims at all?

[nclarkau]

The claim is integral to the identity solution so we need it in ID tokens sent downstream. It looks like OIDCBlackListedClaims would also remove from the ID token.

[zandbelt]

I see, it is now changed in ea3af87

[nclarkau]

Thank you!

[zandbelt]

this is now released in https://github.com/OpenIDC/mod_auth_openidc/releases/tag/v2.4.16.4