Comments (7)
Thanks for your feedback!
I tried to verify the token using various verification libraries and non of them understands PS256.
This is sad for them, since PS256 is pretty much the way to go if you want to avoid potentially insecure RSA PKCS#1 signatures with keys with low exponent (Bleichenbacher).
Is there a config option to change this?
Yes.
--signing-method string JWT signing method (default "PS256")
as command line argument when starting Konnect. It defines what algorithm is used.
For RSA keys you can switch to any of the PKCS#1 based variants (RS256,RS384,RS512). Konnect also supports ECDSA keys with ES256,ES384,ES512).
from konnect.
Switching to RS256 fixes this. THX for now - let's see what needs to be done these days to support PS256.
Its a valid workaround. Konnect will refuse to start with a RSA key with low exponent anyways (see
Lines 150 to 151 in fe1e8ad
I doubt that there are still SSL libraries out there who generate such keys when using their default settings. So should be good enough to use RS256 in production.
from konnect.
THX a lot @longsleep - I'll give that a try ....
from konnect.
THX a lot @longsleep - I'll give that a try ....
You are welcome. You seem to use okta-jwt-verifier-php which either uses spomky-labs/jose or firebase/php-jwt where firebase/php-jwt does not support RSA-PSS but spomky-labs/jose does (according to their docs at https://packagist.org/packages/spomky-labs/jose). Maybe you can use spomky-labs/jose?
from konnect.
You are welcome. You seem to use okta-jwt-verifier-php which either uses spomky-labs/jose or firebase/php-jwt where firebase/php-jwt does not support RSA-PSS but spomky-labs/jose does (according to their docs at https://packagist.org/packages/spomky-labs/jose). Maybe you can use spomky-labs/jose?
No idea why but they seem to only allow RS256 - no idea why.
https://github.com/okta/okta-jwt-verifier-php/blob/1cef6069221c31607806b54b7d36bd610aecaa13/src/Adaptors/SpomkyLabsJose.php#L36
But even if i set this to PS256 it does not verify the token.
from konnect.
No idea why but they seem to only allow RS256 - no idea why.
Raised okta/okta-jwt-verifier-php#24
from konnect.
Switching to RS256 fixes this. THX for now - let's see what needs to be done these days to support PS256.
from konnect.
Related Issues (15)
- Authentication via SAML IDP possible? HOT 18
- `--log-level` not available for `cookie` ? HOT 2
- Embedding Konnectd as dependency? HOT 4
- Is there any way to map the user information user info as returned via the userinfo_endpoint to a user in ldap? HOT 4
- Further improve usage as library HOT 1
- Make identifier-webapp optional
- [Spec] Graph Backend HOT 1
- Add eye icon for password field
- subject is based on the ldap dn, which is neither stable, nor non-reassignable HOT 3
- SAML Allow for issuer != MetadataEndpoint HOT 3
- redirect_uri's require trailing slash on logout? HOT 2
- Commit f8c1f4a (current top) does not build HOT 10
- Get memberOf LDAP property as Claim attribute of JWT token. HOT 1
- SIGSEGV on startup due to uri parse error in identifer-registration.yaml HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from konnect.