Microsoft Identity JWKS "alg" issue #246
Comments
|
Thanks for reporting! Adding a config option makes total sense. I'd keep it off by default, as it's more secure, but allow enabling via config. |
|
Hey, I've been digging a bit on how The option enables this part of the code: https://github.com/lestrrat-go/jwx/blob/v2.0.21/jws/key_provider.go#L127 But this is a fallback in case the algorithm is not present in the JWKS key itself, since it first checks that here: https://github.com/lestrrat-go/jwx/blob/v2.0.21/jws/key_provider.go#L117 Feel free to open a PR adding it and please add a test case here with a key set and a token matching your case. Thanks! |
|
Thanks for the responses! I've created a PR: #247. I'm new to Go so I wasn't quite sure how best to lay out the test - let me know if you want me to tweak that at all. |
|
Fixed in #247 |
We're using Istio authservice's OIDC functionality with Microsoft Identity/Entra as the identity provider. After login, the authservice logs display the error:
level=error msg="error verifying id token with fetched jwks" x-request-id="..." scope="authz" type="oidc" session-id="..." error="could not verify message using any of the signatures or keys"Microsoft's JWKS keys don't contain an
"alg"object key that the github.com/lestrrat-go/jwx/v2/jws library assumes will be there by default, used to determine which key to use for verification.I found that changing the
jws.WithKeySet()call on this line tojws.WithKeySet(jwtSet, jws.WithInferAlgorithmFromKey(true))solves the issues by inferring the algorithm to use.Could authservice add some sort of configuration option to allow for the algorithm key to be inferred like this? Without it, it doesn't look like it's possible to use Entra as an identity provider.
The text was updated successfully, but these errors were encountered: