You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We've been working on expanding the use of OpenID Connect to remove some older authentication methods in places, but ran into some issues due to how ADFS creates tokens.
Some de-personalized tokens from an authentication, as example; (with output from https://jwt.ms)
As seen, the access token is missing the 'kid' header, and instead only contains an 'x5t' header - albeit with the exact same data as 'kid' would've contained. This caused validation to fail when using JWKs, as the signature verification wasn't able to read the key id.
Here's a simple one-line patch that got around the issue for us, but I really feel like this isn't the correct way to go about with things;
--- /a/lib/jwt/decode.rb 2020-09-10 10:09:12.183103903 +0200+++ /b/lib/jwt/decode.rb 2020-09-10 10:55:26.259471083 +0200@@ -34,7 +34,7 @@
def verify_signature
@key = find_key(&@keyfinder) if @keyfinder
- @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks]+ @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['x5t']) if @options[:jwks]
raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty?
raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
The text was updated successfully, but these errors were encountered:
Think the gem itself cannot have these kind of fallbacks or exceptions. The JWT RFC states When used with a JWK, the "kid" value is used to match a JWK "kid" parameter value
But you can for your case have the exception by giving the keyfinder as a parameter to the decode method.
jwk = JWT::JWK.new(OpenSSL::PKey::RSA.new(2048))
payload, headers = { data: 'data' }, { x5t: jwk.kid }
token_with_x5t_instead_of_kid = JWT.encode(payload, jwk.keypair, 'RS512', headers)
jwk_loader = ->(options) do
{ keys: [jwk.export] }
end
decoded_payload, decoded_headers = JWT.decode(token_with_x5t_instead_of_kid, nil, true, { algorithms: ['RS512']}) do |header|
::JWT::JWK::KeyFinder.new(jwks: jwk_loader).key_for(header['kid'] || header['x5t'])
end
p decoded_payload
We've been working on expanding the use of OpenID Connect to remove some older authentication methods in places, but ran into some issues due to how ADFS creates tokens.
Some de-personalized tokens from an authentication, as example; (with output from https://jwt.ms)
Access Token;
ID token;
As seen, the access token is missing the 'kid' header, and instead only contains an 'x5t' header - albeit with the exact same data as 'kid' would've contained. This caused validation to fail when using JWKs, as the signature verification wasn't able to read the key id.
Here's a simple one-line patch that got around the issue for us, but I really feel like this isn't the correct way to go about with things;
The text was updated successfully, but these errors were encountered: