New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supported Signing Algorithms: Add Support to the Provider struct for parsing the supported signing algorithms #225
Comments
I'd be okay with a PR for verifiers to automatically support the algorithms from discovery. But HS512 is a symmetric signing algorithm, which this pack age doesn't support. In these cases you need to provide symmetric verification keys through a different channel anyway since they can't be a part of discovery. I believe it's actually the client secret that does the signing. https://tools.ietf.org/html/rfc7518#section-3.1 |
@ericchiang thanks a lot for explaining.
Is this a limitation of this package or of the underlying jose library? |
This is an intentional limitation of this package. Mixing symmetric and asymmetric algorithms is a recipe for API misuse :) https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/#RSA-or-HMAC-
If we did add this, I'd want to be very careful about the API to make it clear that this is a different trust model. Spit-balling, this should probably be a different Verifier entirely. As mentioned in kubeflow/kubeflow#4550 (comment), if the provider supports RS256 or some other asymmetric algorithm, it's much safer to stick to that instead of assuming the client_secret stays secret.
You'd have to roll your own verifier. This package isn't meant to be used with HS256.
I'll send a PR to automatically support algorithms advertised by the provider and add an example of doing something custom there. |
Actually, looking at our code I think you can provide a KeySet to support symmetric algorithms... That's terrifying. Please give me a sec to think if that's actually want our clients to be able to do that before using that. |
@ericchiang thanks a lot for taking the time to write such an informative answer, I really appreciate it and I think I understand much better what the problem is 😄
Very interesting. So the library needs to make sure the correct key is used for each algorithm.
That would be awesome!
You mean by making your own KeySet interface implementation? |
@ericchiang kind ping on this in case you have any updates on:
Again, I am very open to getting my hands dirty and submitting for PRs for both of these, but I'd like to get your advice first. |
@yanniszark can you take a look at #227? That should ensure that if a provider advertises support for more algorithms, the verifier will automatically pick up those values. Given that in kubeflow/kubeflow#4550 the user just switched to an asymmetric signing algorithm, I don't think it's worth supporting symmetric algorithms. |
@ericchiang thanks! I'll take a look asap! :)
It's true that the original use-case seems to be resolved. |
Hi all!
We have been using the go-oidc library to build an oidc-authservice for the Kubeflow Istio Gateway and a user stumbled on an unsupported signing algorithm error while using a different from RS256 signing algorithm. (kubeflow/kubeflow#4550).
The code we use for getting a verifier is:
I would expect that the provider would save the supported signing algorithms for idtoken and userinfo in its internal struct. Those are give in the standard fields
id_token_signing_alg_values_supported
anduserinfo_signing_alg_values_supported
.I think this is something we would want to support, otherwise I have to manually scrape the well-known endpoint for that info.
If you're ok with it, I can put the cycles to prepare a PR for this.
/cc @ericchiang
The text was updated successfully, but these errors were encountered: