fix: include client_assertion in token hook payload #3949
Conversation
|
That‘s on purpose - like we don’t include the client_secret, auth code, or other tokens. |
|
`client_assertion` is not a secret though, and `assertion` _is_ included.
…On Thu, Feb 20, 2025, 17:36 hackerman ***@***.***> wrote:
That‘s on purpose - like we don’t include the client_secret, auth code, or
other tokens.
—
Reply to this email directly, view it on GitHub
<#3949 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/BAGBHIQBEFRH423MQHI6LSD2QYAA7AVCNFSM6AAAAABXQHT2XCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNZSGAZTSNBRGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
[image: aeneasr]*aeneasr* left a comment (ory/hydra#3949)
<#3949 (comment)>
That‘s on purpose - like we don’t include the client_secret, auth code, or
other tokens.
—
Reply to this email directly, view it on GitHub
<#3949 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/BAGBHIQBEFRH423MQHI6LSD2QYAA7AVCNFSM6AAAAABXQHT2XCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDMNZSGAZTSNBRGI>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Would it not be possible to replay the auth grant with the assertion? |
|
A replay attempt would be rejected because the |
|
I see, it will probably more difficult to implement, but what do you think of instead including the client assertion claims and not the token itself, so that the webhook target does not need to verify the JWT? |
|
Yeah, that would work; I'll see if I can figure out how to do that. |
phooijenga
force-pushed
the
token-hook-include-client-assertion
branch
from
c1d0eb1 to
81c5802
Compare
|
Getting the claims also requires some changes in Fosite, for which I have created ory/fosite#844. I based it on v0.49.0 to avoid adding unnecessary changes in this MR, which now has a I'm not sure the approach I took to make the claims available is the right one, and it should probably have a test. |
|
I am curious, why do you need access to the assertion itself/claims in the hook? |
|
We want to validate/verify some of the claims in the assertion, and copy them to the access token. |
|
But isn't everything in the assertion self-asserted? Client can put anything they want in there? |
|
Yes, we are aware :) |
|
That's quite dangerous, I would say! Access tokens should only have trusted content |
|
Maybe they have some out-of-band way of verifying content, like additional signatures and stuff. Or maybe it is non-critical stuff like first and last name they allow one just to pick arbitrary. |
We want to use JWTs for client authentication in combination with a token hook.
Related issue(s)
When a client authenticates via the
private_key_jwtauth method the payload includesand
This works, and the token hook is called, but it does not include the assertion.
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security vulnerability, I
confirm that I got the approval (please contact
security@ory.sh) from the maintainers to push
the changes.
works.
Further Comments
I didn't see any tests for the
private_key_jwtauth method, so I copied and modified some of the existing tests for JWT as Authorization Grant.