Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check and add to validation missed steps if identified #400

Closed
yuriyz opened this issue Jan 2, 2020 · 8 comments
Closed

Check and add to validation missed steps if identified #400

yuriyz opened this issue Jan 2, 2020 · 8 comments
Assignees
Labels
Milestone

Comments

@yuriyz
Copy link
Contributor

@yuriyz yuriyz commented Jan 2, 2020

http://openid.net/specs/openid-connect-core-1_0.html

Sections
3.1.2.7
3.1.3.5
3.1.3.7
3.2.2.9

@yuriyz yuriyz added the enhancement label Jan 2, 2020
@yuriyz yuriyz added this to the 4.2 milestone Jan 2, 2020
@duttarnab

This comment has been minimized.

Copy link
Collaborator

@duttarnab duttarnab commented Jan 6, 2020

Hi @yuriyz, all above validation are present, except below two points. Could you please confirm.

In Section 3.1.3.7

  1. I guess validation #4, #5 are missing from oxd. Could you please confirm.

  2. If id_token_signed_response_alg set to alg like HS256, HS384, or HS512 then invalid_id_token_bad_signature error is thrown from

https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/op/Validator.java#L154

@yuriyz

This comment has been minimized.

Copy link
Contributor Author

@yuriyz yuriyz commented Jan 6, 2020

@duttarnab

  1. yes, check for azp claim is missed. Please add it with proper test.
  2. re: HS256. Can you drop sample id_token, publicKey and discoveryResponse where it fails?
@duttarnab

This comment has been minimized.

Copy link
Collaborator

@duttarnab duttarnab commented Jan 7, 2020

It fails at /get-tokens-by-code. I found no kid (Key ID) in id_token.

https://github.com/GluuFederation/oxd/blob/master/oxd-server/src/main/java/org/gluu/oxd/server/op/Validator.java#L154

id_token: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJhdF9oYXNoIjoiek5QcHJrTE8ycE9NOTRvMkdpYnBVUSIsImF1ZCI6ImE5OGVjYWM4LWI2OTctNDJkNy1iYWE4LTBmZmNkMzVhNjgwOSIsImFjciI6ImJhc2ljIiwic3ViIjoic3NSZEwxSzUwNlhsRWFFUU9PWUl2a0VUMVg3Um00R29lWEF4S0d1UGlMTSIsImFtciI6WyIxMCJdLCJhdXRoX3RpbWUiOjE1NzgzNzQzNzAsImlzcyI6Imh0dHBzOi8vY2UtZGV2NS5nbHV1Lm9yZyIsImV4cCI6MTU3ODM3Nzk4OSwiaWF0IjoxNTc4Mzc0Mzg5LCJub25jZSI6IjZwcXRuZWY2M29uZjJtcnFkZTk2MTBvMHU3Iiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIn0.dV4dykzkRDadN9bgkzAeEuz3d2jXSJUUQ7mtv47JEww

publicKey: null

discoveryResponse: OpenIdConfigurationResponse{issuer='https://ce-dev5.gluu.org', authorizationEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/authorize', tokenEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/token', tokenRevocationEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/revoke', userInfoEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/userinfo', clientInfoEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/clientinfo', checkSessionIFrame='https://ce-dev5.gluu.org/oxauth/opiframe.htm', endSessionEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/end_session', jwksUri='https://ce-dev5.gluu.org/oxauth/restv1/jwks', registrationEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/register', idGenerationEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/id', introspectionEndpoint='https://ce-dev5.gluu.org/oxauth/restv1/introspection', scopesSupported=[http://photoz.example.com/dev/actions/internalClient, clientinfo, user_name, work_phone, mobile_phone, http://photoz.example.com/dev/actions/view, https://ce-dev5.gluu.org/oxauth/restv1/uma/scopes/scim_access, oxd, super_gluu_ro_session, org_name, email, http://photoz.example.com/dev/actions/remove, address, test, http://photoz.example.com/dev/actions/all, http://photoz.example.com/dev/actions/add, openid, profile, uma_protection, http://photoz.example.com/dev/scopes/view, permission, http://photoz.example.com/dev/actions/see, http://photoz.example.com/dev/scopes/all, http://photoz.example.com/dev/actions/a1, http://photoz.example.com/dev/actions/a2, modify, oxtrust-api-write, oxtrust-api-read, http://photoz.example.com/dev/actions/walk, phone, http://photoz.example.com/dev/actions/a3], responseTypesSupported=[token id_token, code id_token, code, token, code token id_token, id_token, code token], responseModesSupported=[query, form_post, fragment], grantTypesSupported=[refresh_token, authorization_code, implicit, password, client_credentials, urn:ietf:params:oauth:grant-type:uma-ticket], acrValuesSupported=[basic_lock, auth_ldap_server, super_gluu, basic], subjectTypesSupported=[public, pairwise], userInfoSigningAlgValuesSupported=[HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512], userInfoEncryptionAlgValuesSupported=[RSA1_5, RSA-OAEP, A128KW, A256KW], userInfoEncryptionEncValuesSupported=[RSA1_5, RSA-OAEP, A128KW, A256KW], idTokenSigningAlgValuesSupported=[none, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512], idTokenEncryptionAlgValuesSupported=[RSA1_5, RSA-OAEP, A128KW, A256KW], idTokenEncryptionEncValuesSupported=[A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM], requestObjectSigningAlgValuesSupported=[none, HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512], requestObjectEncryptionAlgValuesSupported=[RSA1_5, RSA-OAEP, A128KW, A256KW], requestObjectEncryptionEncValuesSupported=[A128CBC+HS256, A256CBC+HS512, A128GCM, A256GCM], tokenEndpointAuthMethodsSupported=[client_secret_basic, client_secret_post, client_secret_jwt, private_key_jwt], tokenEndpointAuthSigningAlgValuesSupported=[HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512], displayValuesSupported=[page, popup], claimTypesSupported=[normal], claimsSupported=[oxAuthRedirectURI, street_address, country, zoneinfo, birthdate, gender, formatted, user_name, oxAuthIdTokenSignedResponseAlg, work_phone, oxAuthScope, phone_mobile_number, preferred_username, locale, inum, oxAuthAppType, updated_at, nickname, org_name, member_of, email, website, email_verified, profile, locality, phone_number_verified, given_name, middle_name, picture, name, phone_number, postal_code, region, family_name], idTokenTokenBindingCnfValuesSupported=[], serviceDocumentation='http://gluu.org/docs', claimsLocalesSupported=[en], uiLocalesSupported=[en, es], claimsParameterSupported=true, requestParameterSupported=true, requestUriParameterSupported=true, tlsClientCertificateBoundAccessTokens=true, frontChannelLogoutSupported=true, frontChannelLogoutSessionSupported=true, requireRequestUriRegistration=false, opPolicyUri='http://ox.gluu.org/doku.php?id=oxauth:policy', opTosUri='http://ox.gluu.org/doku.php?id=oxauth:tos', scopeToClaimsMapping={http://photoz.example.com/dev/actions/internalClient=[], clientinfo=[name, inum, oxAuthAppType, oxAuthIdTokenSignedResponseAlg, oxAuthRedirectURI, oxAuthScope], user_name=[user_name], work_phone=[work_phone], mobile_phone=[phone_mobile_number], http://photoz.example.com/dev/actions/view=[], https://ce-dev5.gluu.org/oxauth/restv1/uma/scopes/scim_access=[], oxd=[], super_gluu_ro_session=[], org_name=[org_name], email=[email_verified, email], http://photoz.example.com/dev/actions/remove=[], address=[formatted, postal_code, street_address, locality, country, region], test=[member_of], http://photoz.example.com/dev/actions/all=[], http://photoz.example.com/dev/actions/add=[], openid=[], profile=[name, family_name, given_name, middle_name, nickname, preferred_username, profile, picture, website, gender, birthdate, zoneinfo, locale, updated_at], uma_protection=[], http://photoz.example.com/dev/scopes/view=[], permission=[], http://photoz.example.com/dev/actions/see=[], http://photoz.example.com/dev/scopes/all=[], http://photoz.example.com/dev/actions/a1=[], http://photoz.example.com/dev/actions/a2=[], modify=[], oxtrust-api-write=[], oxtrust-api-read=[], http://photoz.example.com/dev/actions/walk=[], phone=[phone_number_verified, phone_number], http://photoz.example.com/dev/actions/a3=[]}', backchannelAuthenticationEndpoint=null', backchannelTokenDeliveryModesSupported=[]', backchannelAuthenticationRequestSigningAlgValuesSupported=[]', backchannelUserCodeParameterSupported=null'}

@yuriyz

This comment has been minimized.

Copy link
Contributor Author

@yuriyz yuriyz commented Jan 8, 2020

@duttarnab for HS256 (as well as other HS algorithms) add validation via HMACSigner, not RSASigner. For ES use ECDSASigner. Please check each algorithms.

@duttarnab

This comment has been minimized.

Copy link
Collaborator

@duttarnab duttarnab commented Jan 9, 2020

In PR: #401 we have :

  1. Added validation for azp claim
  2. Added HMACSigner and ECDSASigner for their algos.
yuriyz added a commit that referenced this issue Jan 10, 2020
#400 - Check and add to validation missed steps if identified
@duttarnab

This comment has been minimized.

Copy link
Collaborator

@duttarnab duttarnab commented Jan 11, 2020

Done using #401

@duttarnab duttarnab closed this Jan 11, 2020
@yuriyz yuriyz reopened this Jan 22, 2020
@yuriyz

This comment has been minimized.

Copy link
Contributor Author

@yuriyz yuriyz commented Jan 22, 2020

@duttarnab it's fixed in 4.2 which is good but we need to backport it to 4.1.

yuriyz added a commit that referenced this issue Jan 22, 2020
#400 - Check and add to validation missed steps if identified
@yuriyz

This comment has been minimized.

Copy link
Contributor Author

@yuriyz yuriyz commented Jan 22, 2020

merged into 4.1, closing.

@yuriyz yuriyz closed this Jan 22, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.