/oauth2/token return id_token with malformed updated_at (scientific notation)

[kghost]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

/oauth2/token returns a json with id_token, after base64 decoding, I got following json:

{
  "amr":["password"],
  "at_hash":"xxx",
  "aud":["xxx"],
  "auth_time":1727351026,
  "email":"[email protected]",
  "email_verified":true,
  "exp":1727473364,
  "iat":1727408564,
  "iss":"https://hydra.example.com/",
  "jti":"xxx",
  "preferred_username":"xxx",
  "rat":1727408564,
  "sid":"xxx",
  "sub":"xxx",
  "updated_at":1.705586667e+09
}

Everything is fine except that updated_at is in scientific notation.

And my application kratos returns an error:

json: cannot unmarshal number 1.705586667e+09 into Go struct field Claims.updated_at of type int64

Reproducing the bug

Environment:
Oauth2 Provider: Kratos(v1.2.0) + Hydra(v2.2.0) + UI(v0.14.1)
Application: Kratos(v1.2.0) + UI(v0.14.1)

I can confirm that /admin/oauth2/auth/requests/consent/accept endpoint got currect claims:

{
  "grant_scope":["openid","email","profile"],
  "grant_access_token_audience":[],
  "session":{
    "access_token":{},
    "id_token":{
      "email":"[email protected]",
      "email_verified":true,
      "preferred_username":"xxx",
      "updated_at":1705586667
    }
  }
}

I also checked the database, and confirms that hydra_oauth2_flow table contains correct session_id_token:

select requested_at, session_id_token from hydra_oauth2_flow where client_id = 'xxx' and subject = 'xxx' order by requested_at;
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+
| requested_at        | session_id_token                                                                                                                  |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+
| 2024-09-27 03:53:32 | {"email": "[email protected]", "updated_at": 1705586667, "email_verified": true, "preferred_username": "xxx"}    |
+---------------------+-----------------------------------------------------------------------------------------------------------------------------------+

Relevant log output

No response

Relevant configuration

No response

Version

v2.2.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes with Helm

Additional Context

No response

[aeneasr]

Thank you for the report - the problem is likely an incorrect JSON encoder somewhere deep down in fosite. If you have an idea where this could come from, we appreciate help in pinning down the issue!

[aeneasr]

Looks like this is fixed on master: #3819

[kghost]

Thanks @aeneasr I'll be glad to verify it when the fix is released.