Comments (2)
Hi @moximoti
Thanks for the feedback about the library 😃 and the bug!
I knew the library was no able to validate the signature if no kid
is in the header but multiple keys are in the key set without kid
(which is spec compliant).
Apparently it's also not able to validate if kid
is only missing in the header but not key set.
I should be able to provide you with a fix by tomorrow evening.
from oidc.
Hey @moximoti
I just created a PR which would change the following:
- FindKey is deprecated in favor of FindMatchingKey which will return an error (ErrKeyNone / ErrKeyMultiple) instead of just the bool
- FindKey will wrap the new FindMatchingKey method to get the changes for finding keys without kid
- FindMatchingKey will iterate through the keys and now check for:
use
and ifalg
header matches the key type- then if kid exact match and are not empty, the key is taken
- or if either kid is empty, the key is appended to the possible keys
- I refactored the VerifySignature of remoteKeySet into multiple methods, in combination with the changes of FindMatching Key, it will now:
- check for cached keys and if empty, use remote keys directly
- if a single cached key matches, try to verify the signature
- on error it will check if kid was empty and then check for new remote keys
- the remote key check in this case can be disabled by passing
SkipRemoteCheck
intoNewRemoteKeySet
This should solve your problem and you could even set the SkipRemoteCheck option if there's only a single key without key rotation.
I will retest the OIDC RP Certification later today and check if there's any other spec violation.
from oidc.
Related Issues (20)
- client/rs: error when issuer discovery has no introspection endpoint HOT 3
- callback always returns state param, even if empty HOT 1
- Can't revoke token HOT 1
- allow to set audiences for device authorization
- return an ID token with Device Authorizaiton HOT 1
- [Spike]: OpenID Conformance testing suite
- Need to add a "typ":"JWT" header to my tokens HOT 1
- proposal(op): new server interface to replace storage HOT 8
- state always returned in access token response HOT 2
- JWT Assertion payload does not match RFC example when generated with OIDC relying party HOT 8
- [Bug]: Client Assertion token request includes basic auth header HOT 3
- PKCE support is not enough HOT 1
- use trace id of external service HOT 2
- Allow custom forwarded header HOT 2
- [Bug]: client invalid signature when OIDC server is restarted HOT 2
- The automated release is failing 🚨
- [Bug]: nil pointer dereference in `crypto.BytesToPrivateKey` HOT 3
- Access to auto discovery configuration HOT 3
- Allow empty nonce from ID Tokens issued from Refresh Tokens HOT 10
- Support form_post OIDC response mode HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oidc.