Encryption test

[borleth]

Hello,

I'm trying to validate our custom IDP with openidconnect protocol.
For the test we try to use most common and wellknown node-openid-client, we have now 2 problems :

First, when we configure the RSA key with RSA-OAEP on the client and on the server, all the parsing IDtoken is good.
But when we change only the algo with RSA-OAEP-256 on the client and on the server, the private key on the client is not seen as candidate to decrypt.=> JWKSNoMatchinKey (the candidate is false on the keystore.all on node_module/jose/lib/jwks/keystore.js)

Second, with le RSA-OAEP, we try also to deliver the userInfo with encryption, and there is an exception with "ParseError: Unexpected token e in JSON at position 0 " because it's a JWE so in Base64 encoding.
So how the request userInfo select the JSON simple format and the JWE format with the response it receive ?

We try to follow the RFC with "content-type":"application/jwt;charset=UTF-8" instead of "content-type":"application/json;charset=UTF-8" biut with no difference...
Can i Have somme help to validate the userinfo encryption ?

[panva]

Please provide something tangible, else i cannot help you. Your Node.js version, client metadata, actual tokens, keys, stack traces, userinfo responses, etc.

[borleth]

npm version
{ 'oidc-node': '1.1.0',
npm: '6.14.11',
ares: '1.15.0',
brotli: '1.0.7',
cldr: '36.1',
http_parser: '2.9.3',
icu: '66.1',
modules: '64',
napi: '5',
nghttp2: '1.40.0',
node: '10.19.0',
openssl: '1.1.1d',
tz: '2021a',
unicode: '13.0',
uv: '1.34.2',
v8: '6.8.275.32-node.55',
zlib: '1.2.11' }

[panva]

But when we change only the algo with RSA-OAEP-256 on the client and on the server, the private key on the client is not seen as candidate to decrypt.=> JWKSNoMatchinKey (the candidate is false on the keystore.all on node_module/jose/lib/jwks/keystore.js)

You're probably not running a node.js version capable of this algorithm. >= 12.9.0 is required. Either that, or the key's alg or use is not set appropriately.

[borleth]

node 10.19.0 on ubuntu 20.04. So i try with a newer version...
use and alg are correctly set because it's work with the algorithm RSA-OAEP.

[panva]

Second, with le RSA-OAEP, we try also to deliver the userInfo with encryption, and there is an exception with "ParseError: Unexpected token e in JSON at position 0 " because it's a JWE so in Base64 encoding.

Is your JWE Content plaintext json? then set your client's userinfo_signed_response_alg to undefined. If it's a JWT, set the same property to the appropriate JWS algorithm the OP uses to sign the userinfo nested inside the JWE.

[borleth]

Sorry it a copy/paste from the view of the JSON in Firefox.

How can I export the OP metadata after the openid-client initialisation ?

[panva]

I'm not interested in your OP metadata, please read carefully.

[panva]

I've also already answered what the expected configuration is when.

[borleth]

I have in .env file :

O2N_IDP_BASE_URL='https://mylab.com/oidc/snumarchi-lab-ec'
O2N_IDP_CLIENT_ID='ClientID_ES256'
O2N_IDP_TOKEN_AUTH_METHOD='client_secret_post'
O2N_IDP_SIGN_ALG='ES256'
O2N_IDP_SIGN_ENC_ALG='RSA-OAEP'
O2N_IDP_SIGN_ENC='A256GCM'

In app/config/config.js

  // Suffixe générique de l'URL de découverte
  DISCOVERY_ENDPOINT_SUFFIX: '/.well-known/openid-configuration',
  STRATEGY_NAME: 'oidc',

  idpBaseURL: process.env.O2N_IDP_BASE_URL,
  idpClientID: process.env.O2N_IDP_CLIENT_ID || 'ClientID-Non-Renseigne',
  idpClientSecret: process.env.O2N_IDP_CLIENT_SECRET || 'ClientSecret-Non-Renseigne',
  idpTokenAuthMethod : process.env.O2N_IDP_TOKEN_AUTH_METHOD || 'client_secret_basic',
  idpScopes: process.env.O2N_IDP_SCOPES || 'openid profile name email address',
  idpSignAlg: process.env.O2N_IDP_SIGN_ALG || 'RS256',
  idpSignEncAlg: process.env.O2N_IDP_SIGN_ENC_ALG ,
  idpSignEnc: process.env.O2N_IDP_SIGN_ENC ,
  idpClientEncJwk: '{"keys":[{"kty":"RSA","alg":"RSA-OAEP","kid":"RSA2","use":"enc","e":"AQAB","n":".....","p":".....","q":"......","d":"......","qi":"......","dp":".....","dq":"...."}]}',
  

And in PassportOpenId.js

// Initialisation de la stratégie Passport et du client OIDC
Issuer.discover(config.discoveryURL)
    .then((idpIssuer) => {
      log.info('Début de configuration du fournisseur d\'identité: %s', config.discoveryURL);
      const client = new idpIssuer.Client({
        client_id: config.idpClientID,
        client_secret: config.idpClientSecret,
        redirect_uris: [config.callbackLoginURL],
        response_types: ['code'],
        token_endpoint_auth_method: config.idpTokenAuthMethod,
        id_token_signed_response_alg: config.idpSignAlg,
        id_token_encrypted_response_alg: config.idpSignEncAlg,
        id_token_encrypted_response_enc: config.idpSignEnc
      },JSON.parse(config.idpClientEncJwk));

      config.idpLogoutURL = idpIssuer.metadata.end_session_endpoint;
      log.info('URL de déconnexion récupérée: %s', config.idpLogoutURL);
      passport.use(config.STRATEGY_NAME,
          new Strategy(
              {client: client, params: {scope: config.idpScopes},usePKCE: true},
              (tokenSet, userInfo, done) => {
                return done(null, mapUser(userInfo, tokenSet));
              }));
      log.info('Fin de configuration du fournisseur d\'identité: %s', config.discoveryURL);
    }).catch((error) => {
      log.error('Erreur de configuration Passport: %s', error);
    });

[borleth]

I understand my problem.
I have add in the client initialisation

        userinfo_signed_response_alg: config.idpSignAlg,
        userinfo_encrypted_response_alg: config.idpSignEncAlg,
        userinfo_encrypted_response_enc: config.idpSignEnc

[panva]

We try to follow the RFC with "content-type":"application/jwt;charset=UTF-8" instead of "content-type":"application/json;charset=UTF-8" biut with no difference...

Irrelevant, what matters is the client metadata.