JWS Token Verification Failed about omniauth_openid_connect HOT 16 CLOSED

Hi, ruby isn't my thing either. Discovery is set to false. I haven't found how to solve this but in the meantime I've disabled verification overriding the decode method with this code inside an intializer.

module OpenIDConnect
  class ResponseObject
    class IdToken < ConnectObject
      class << self
        def decode(jwt_string, key)
            Rails.logger.debug jwt_string
            Rails.logger.debug key
            if key == :self_issued
              decode_self_issued jwt_string
            else
              new JSON::JWT.decode jwt_string, :skip_verification
          end
        end
      end
    end
  end
end

from omniauth_openid_connect.

I did something similar. I revert this commit and it works now. Following the logic in that file I'm 90% sure the problem is related to the JWKS_URI not being called or loading the public key data with discovery off.

But that said, reverting that validation does allow the signing to work.

#44

And I haven't figured out how to change the ruby code to load the public key properly :-/

from omniauth_openid_connect.

I'm having this issue too and I found that there seems to be a config that's not documented: client_signing_alg as I looked from here: https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L265-L276

but even though I tried this configuration, the verification didn't work. The client_options.secret config supposed to be the client secret or something else? Pardon my limited knowledge on OAuth.

from omniauth_openid_connect.

I have the same issue. My provider does not expose a jwks endpoint, so I have discovery set to false and client_auth_method set to basic. However the id token is still being verified (and fails)

I was able to use OP's monkeypatch workaround without issue.

from omniauth_openid_connect.

My 2 cents here, seems there is another option client_jwk_signing_key that can contains the json content of the jwks endpoint (used in test file):

https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/test/lib/omniauth/strategies/openid_connect_test.rb#L170-L173

A bit hacky, but should work.

===

Then, regarding this issue, I have some pointers.

The lines that are concerned are the following I guess:

https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L179-L183

As the config.jwks is a result of an OIDC discovery, it will be null if discover==false

https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L96-L98

So basically, jwks_uri is never used when discover is set to false. If I understand well the code, would add an switch branch there:

https://github.com/m0n9oose/omniauth_openid_connect/blob/ef2942047c866993d8323115c419371d75f05a60/lib/omniauth/strategies/openid_connect.rb#L265-L276

        when :RS256, :RS384, :RS512
          if options.jwks_uri
             # Call the remote endpoint and return the jwks here.
          elsif options.client_jwk_signing_key
            parse_jwk_key(options.client_jwk_signing_key)
          elsif options.client_x509_signing_key
            parse_x509_key(options.client_x509_signing_key)
          end

@m0n9oose I am literally discovering the library, so I don't feel comfortable fixing it. But this is an issue I am facing too, so if no one more experienced with it can handle it next week, will try a PR.

from omniauth_openid_connect.

Having a similar problem. By any chance do you have discovery set to false? Because I'm thinking the jwks_uri doesn't get used if discovery is off. But I'm still in the middle of debugging. Haven't figure it out yet (ruby isn't my strong suite).

from omniauth_openid_connect.

Same problem here I can't use discovery: true as my provider named the configuration file .well-known/wallet-openid-configuration instead of .well-known/openid-configuration.
In my point of view we should be able to set jwks_uri even with discovery: false.

from omniauth_openid_connect.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from omniauth_openid_connect.

In response to the stale bot: we're prevented from upgrading to 0.3.5 due to this issue I think. Seems like patching out checks isn't the best way to proceed ... but I don't see what is the best solution.

from omniauth_openid_connect.

Well we know what the issue is. Just none of us know Ruby well enough to write a proper fix :-/

Best we can do is poke the maintainer or hopefully someone else comes along. But the issue was introduced in #44 so at least we know how to work around for the moment.

from omniauth_openid_connect.

#89 solves the issue for me.

@m0n9oose Can you take a look?

from omniauth_openid_connect.

I've pulled the changes in #89 into our fork:

1. Rubygems: https://rubygems.org/gems/gitlab-omniauth-openid-connect
2. Home page: https://gitlab.com/gitlab-org/gitlab-omniauth-openid-connect

from omniauth_openid_connect.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from omniauth_openid_connect.

It would be nice if we could get this merged. It’s troublesome manually patching things :-/

from omniauth_openid_connect.

Oh gitlab forked the project?

from omniauth_openid_connect.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

from omniauth_openid_connect.