OIDC connection domain_aliases retained after Patch operation

konrad.sopala · September 19, 2023, 12:29pm

Problem statement

In relation to OIDC connection, what we have experienced:

Create OIDC connection and set the Example Domain domain for it.
Ensure that the domain discovery works (user enters test@example.com and gets redirected to external SSO page).
Using Management API trigger GET /api/v2/connections/connectionId request to get the connection. Copy the options field.
Remove the domain_aliases from the copied section and send the PATCH request (without domain_aliases). E.g:

PATCH /api/v2/connections/connectionId
{
"options": {
"type": "back_channel",
"scope": "openid profile email",
"issuer": "https://my_tenant.us.auth0.com/"",
"jwks_uri": "https://my_tenant.us.auth0.com/.well-known/jwks.json"",
"client_id": "*****",
"client_secret": "*****",
"discovery_url": "https://my_tenant.us.auth0.com/.well-known/openid-configuration"",
"token_endpoint": "https://my_tenant.us.auth0.com/oauth/token"",
"userinfo_endpoint": "https://my_tenant.us.auth0.com/userinfo"",
"authorization_endpoint": "https://my_tenant.us.auth0.com/authorize""
}
}

Try to login using test@example.com and the domain discovery will still work.

In this case the user will be redirected to the IdP but as no domain is present in the domain_aliases the expected behavior is that the user should not have been redirected.

If we do not pass domain_aliases array in the options object the value of the domains is retained, and the user is redirected to that IdP based on the previous domain passed in the HRD. But, if you perform the get operation on a connection, the domain_aliases is not part of the options object.

GET connection
{
"id": "con_**********",
"options": {
"type": "back_channel",
"scope": "openid profile email",
"issuer": "https://my_tenant.us.auth0.com/"",
"jwks_uri": "https://my_tenant.us.auth0.com/.well-known/jwks.json"",
"client_id": "********",
"client_secret": "**",
"discovery_url": "https://my_tenant.us.auth0.com/.well-known/openid-configuration"",
"token_endpoint": "https://my_tenant.us.auth0.com/oauth/token"",
"userinfo_endpoint": "https://my_tenant.us.auth0.com/userinfo"",
"authorization_endpoint": "https://my_tenant.us.auth0.com/authorize""
},
"strategy": "oidc",
"name": "OIDC-Connection",
"is_domain_connection": false,
"show_as_button": false,
"display_name": "OIDC-Connection",
],
"realms": [
"OIDC-Connection"
]
}

However, if we pass the domain_aliases array as an empty array, we would get the expected behaviour and the user won’t anymore be redirected to the IdP.

Working payload:

PATCH /api/v2/connections/connectionId
{
"options": {
"type": "back_channel",
"scope": "openid profile email",
"issuer": "https://my_tenant.us.auth0.com/"",
"jwks_uri": "https://my_tenant.us.auth0.com/.well-known/jwks.json"",
"client_id": "*****",
"client_secret": "*",
"discovery_url": "https://my_tenant.us.auth0.com/.well-known/openid-configuration"",
"token_endpoint": "https://my_tenant.us.auth0.com/oauth/token"",
"userinfo_endpoint": "https://my_tenant.us.auth0.com/userinfo"",
"authorization_endpoint": "https://my_tenant.us.auth0.com/authorize"",
"domain_aliases": []
}
}

GET connection
{
"id": "con_********",
"options": {
"type": "back_channel",
"scope": "openid profile email",
"issuer": "https://my_tenant.us.auth0.com/"",
"jwks_uri": "https://my_tenant.us.auth0.com/.well-known/jwks.json"",
"client_id": "******",
"client_secret": "*",
"discovery_url": "https://my_tenant.us.auth0.com/.well-known/openid-configuration"",
"domain_aliases": [],
"token_endpoint": "https://my_tenant.us.auth0.com/oauth/token"",
"userinfo_endpoint": "https://my_tenant.us.auth0.com/userinfo"",
"authorization_endpoint": "https://my_tenant.us.auth0.com/authorize""
},
"strategy": "oidc",
"name": "OIDC-Connection",
"is_domain_connection": false,
"show_as_button": false,
"display_name": "OIDC-Connection",
"realms": [
"OIDC-Connection"
]
}

I also observed if I clear the HRD from the Dashboard and then perform a get operation, the “domain_aliases”: , is returned as an empty array, so I believe it is expected to be explicitly set as an empty array and not removing the entire domain_aliases from the options object. However, I would like to get this clarified and know the correct behavior.

As per public docs:

Note: if you use the options parameter, the whole options object will be overridden, so ensure that all parameters are present

https://auth0.com/docs/api/management/v2#!/Connections/patch_connections_by_id

Could you please clarify when we don’t pass the field “domain_aliases” field in the patch connection, why is the old value retained?

Solution

Our engineering team is aware of this issue and they are working on a plan to address it. In the meantime, the workaround for this issue is to use domain_aliases: [] or tenant_domain: '' in the options payloads.

Topic		Replies	Views
Stuck with "options.domain_aliases" is not allowed Help delegated-administration-dashboard-exten , directory-authorization	2	1169	June 13, 2023
OpenID Connect Enterprise Connection many email domains Help connections , oidc-enterprise-connection	10	1066	September 13, 2023
Default connection when using universal login Help connections , oidc-enterprise-connection	3	38	October 10, 2024
Can't change issuer URL for OIDC enterprise connection Help connections , oidc-enterprise-connection	5	465	May 2, 2024
Is it possible to create and use an OIDC connection without the jwks_uri parameter or to disable (ignore) it? Knowledge Articles jwks , oidc-connection	1	974	August 31, 2023

OIDC connection domain_aliases retained after Patch operation

Problem statement

Solution

Related topics