Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Not able to connect Yahoo because of ES256 #4899

Closed
1 of 2 tasks
CMiksche opened this issue Dec 19, 2022 · 5 comments
Closed
1 of 2 tasks

[Bug]: Not able to connect Yahoo because of ES256 #4899

CMiksche opened this issue Dec 19, 2022 · 5 comments
Labels
bug Something isn't working

Comments

@CMiksche
Copy link
Contributor

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Environment

Self-hosted

Describe the bug

I want to connect Yahoo as a OpenID Connect Provider to my Zitadel Instance.

Yahoo itself describes that "ES256" and "RS256" is supported.

But when I try to connect as a User after setting up a App at Yahoo, I get the following:

signature algorithm not supported: id token signed with unsupported algorithm, expected ["RS256"] got "ES256"

To reproduce

  1. Follow https://developer.yahoo.com/oauth2/guide/openid_connect/getting_started.html to setup a App at Yahoo
  2. Try to login with Zitadel
  3. You will see the Error Message

Screenshots

No response

Expected behavior

No response

Version

2.16.0

Operating System

No response

Relevant Configuration

No response

Additional Context

No response
@CMiksche CMiksche added state: triage bug Something isn't working labels Dec 19, 2022
@fforootd
Copy link
Member

fforootd commented Dec 19, 2022
edited

Hm good question.

There discover document clearly shows RSA Support.

With a quick glance i did not see how to switch this 🙈

Maybe @livio-a has an idea.

Might influence #4431

@CMiksche
Copy link
Contributor Author

Some OpenID Connect Providers like netID allow the selection in the application creation interface but I couldn't find anything there at Yahoo...

I send them (Yahoo) a Mail about it - lets see if they respond.

But couldn't Zitadel also support ES256? It seems like many Providers use ES256 as default (e.g. netID also uses ES256 besides RS256)

BTW: Off-topic but when a OpenID Connect Provider only allows one Callback URL, which one should I use - the Zitadel Register or Login Callback URL?

@hifabienne
Copy link
Member

hifabienne commented Jan 6, 2023
edited

Hi @CMiksche
At the moment our OIDC library does only support RS256.
I just created an issue for it: zitadel/oidc#259
But I can't tell you a timeline on that right now.
@livio-a Do wee need to implement something on the ZITADEL side? Or does it work as soon as the lib is capable?

@livio-a
Copy link
Member

livio-a commented Jan 9, 2023

@hifabienne i rechecked the implementation. It's already possible to handle token signatures other than RS256, but it's currently not that dynamic as needed. I'll add some info the oidc issue. Regardless of that, ZITADEL only need to update the library afterwards.

@hifabienne
Copy link
Member

So I will close this issue since we track the progress in zitadel/oidc#259

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@livio-a @CMiksche @fforootd @hifabienne