Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Failed to decode id_token_hint when using different signer for id_token and others #769

Open
4 of 5 tasks
hijiki51 opened this issue Sep 22, 2023 · 0 comments
Open
4 of 5 tasks

Failed to decode id_token_hint when using different signer for id_token and others #769

hijiki51 opened this issue Sep 22, 2023 · 0 comments
Labels
bug Something is not working.

Comments

@hijiki51
Copy link

Preflight checklist

Ory Network Project

No response

Describe the bug

  • In OpenIDConnectRequestValidator.ValidatePrompt, decode id_token_hint when passed.
  • This Decode function using jwt.Signer passed here.
    • this signer is a compose.CommonStrategy.Signer.
    • ref
  • But, id_token is singed by another singer passed here
  • Therefore, If we use different singer for id_token and other (like access_token), failed to decode id_token_hint,

I think OpenIDConnectRequestValidator should use compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer instead of compose.CommonStrategy.Signer.

Reproducing the bug

  1. Setup two different private key
  2. Configure fosite.OAuth2Provider using two different key
    like this:
keyGetter1 := func(context.Context) (interface{}, error) {
	return key1, nil
}
keyGetter2 := func(context.Context) (interface{}, error) {
	return key2, nil
}
oauth2 := compose.Compose(
	config,
	storage,
	&CommonStrategy{
		CoreStrategy:               NewOAuth2HMACStrategy(config),
		OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter1 , config),
		Signer:                     &jwt.DefaultSigner{GetPrivateKey: keyGetter2},
	},
	OAuth2AuthorizeExplicitFactory,
	OAuth2AuthorizeImplicitFactory,
	OAuth2ClientCredentialsGrantFactory,
	OAuth2RefreshTokenGrantFactory,
	OAuth2ResourceOwnerPasswordCredentialsFactory,
	RFC7523AssertionGrantFactory,

	OpenIDConnectExplicitFactory,
	OpenIDConnectImplicitFactory,
	OpenIDConnectHybridFactory,
	OpenIDConnectRefreshFactory,

	OAuth2TokenIntrospectionFactory,
	OAuth2TokenRevocationFactory,

	OAuth2PKCEFactory,
	PushedAuthorizeHandlerFactory,
)
  1. Access authorization endpoint with id_token_hint parameter

Relevant log output

2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: invalid_request
github.com/ory/x/errorsx.WithStack
        github.com/ory/[email protected]/errorsx/errors.go:41
github.com/ory/fosite/handler/openid.(*OpenIDConnectRequestValidator).ValidatePrompt
        github.com/ory/[email protected]/handler/openid/validator.go:141
github.com/ory/fosite/handler/openid.(*OpenIDConnectExplicitHandler).HandleAuthorizeEndpointRequest
        github.com/ory/[email protected]/handler/openid/flow_explicit_auth.go:50
github.com/ory/fosite.(*Fosite).NewAuthorizeResponse
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: go-jose/go-jose: error in cryptographic primitive

Relevant configuration

No response

Version

github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response
@hijiki51 hijiki51 added the bug Something is not working. label Sep 22, 2023
hijiki51 added a commit to hijiki51/fosite that referenced this issue Sep 23, 2023
@hijiki51
fix: decode id_token_hint with correct signer
a73de86 
BREAKING CHANGE: this commit changed OpenIDConnectTokenStrategy interface.

closes ory#769
@hijiki51 hijiki51 mentioned this issue Sep 23, 2023
Open
6 tasks
hijiki51 added a commit to hijiki51/fosite that referenced this issue Mar 23, 2024
@hijiki51
fix: decode id_token_hint with correct signer
16d2b5c 
BREAKING CHANGE: this commit changed OpenIDConnectTokenStrategy interface.

closes ory#769
hijiki51 added a commit to hijiki51/fosite that referenced this issue Aug 3, 2024
@hijiki51
fix: decode id_token_hint with correct signer
e2730ee 
BREAKING CHANGE: this commit changed OpenIDConnectTokenStrategy interface.

closes ory#769
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@hijiki51