I am attempting to use OIDC with Entra ID for SSO. When I click Login with SSO I am redirected to the Entra sign-in page and can sign in, perform 2FA, etc.
However, logging in to Incus fails due to what seems to be an issue with parsing the returned access token response, leading to an HTTP 401 as below:
{“type”: “error”,“status”: “”,“status_code”: 0,“operation”: “”,“error_code”: 401,“error”: “Failed to authenticate: failed to unmarshal response: json: cannot unmarshal string into Go struct field AccessTokenResponse.expires_in of type uint64 {“token_type”:“Bearer”,“expires_in”:“3599”,“ext_expires_in”:“3599”,“expires_on”:“1763425407”,“access_token”:"”,“metadata”: null}
According to ChatGPT this is because the code handling the response doesn’t accept a string value for the expires_in property, which seems to be what Entra ID returns. It would appear to be fairly trivial to support converting a returned string value to the expected uint64.
I have been looking in to the Zitadel OIDC project and found where I believe the uint64 data type is specified.
Should I log an issue with Zitadel OIDC, or is there a way to work around this issue without an upstream code change?
You can raise an issue with Zitadel OIDC but I don’t know how receptive they will be to it given that the Microsoft Entra implementation appears to violate the OIDC spec…
Hi @stgraber, just FYI, Zitadel resolved the upstream issue that was preventing use of Entra ID for OIDC SSO, so I expect it will make it into a future Incus release.