New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC: extract claims from JWT access token #2276
Conversation
pac4j-oidc/src/main/java/org/pac4j/oidc/profile/creator/OidcProfileCreator.java
Outdated
Show resolved
Hide resolved
Updated PR with minor adjustments and tests. |
Hey all, after upgrading to pac4j 5.4.4 we had some test failures, which we were eventually able to trace back to this pull request. After looking at it we think there are some issues with the current implementation.
This feature seems a bit large for such a minor upgrade (5.4.3 -> 5.4.4) and due to the above issues, we think that it might be better to revert this pull request and reimplement the feature at a later date. |
Thanks much for the details.
Reverting is not possible; we have this feature used in production in 1-2
places. You're welcome to submit a pull request to make improvements.
|
Also, please do not comment on merged pull requests. There are mailing lists reserved for discussions and evaluations, if necessary (which sounds like it might not be in this case, and we just need to apply 1-2 patches from you) |
|
Reading https://www.rfc-editor.org/rfc/rfc8725, a security risk could be JWT substitution attacks. I don't see how this could be possible between clients given that the ID token validation (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) checks the @mmoayyed for JWT access tokens generated by the CAS server, does it respect that the |
@mmoayyed I just did the test by myself ;-) and it's not the case (the type is "JWT"): we should certainly change that for the incoming CAS v6.6.0? What do you think? |
That sounds like a good idea, sure. |
@leleuj The validation of access tokens according to RFC 9068 (https://www.rfc-editor.org/rfc/rfc9068.html#name-validating-jwt-access-token) and ID tokens according to the OIDC specification (https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation) is quite different. To summarize:
|
@papegaaij Thanks for summarizing both validation processes. Very clear. It looks like we will need a specific access token validation eventually. For the ID token validation, we rely on the The RFC 9068 is not currently supported: https://connect2id.com/products/nimbus-oauth-openid-connect-sdk#specs / https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/issues?status=new&status=open I think it should be implemented in the Nimbus SDK instead of pac4j. What do you think? |
Yes, that would make sense. However, supporting RFC 9068 without the Nimbus SDK providing a specific implementation it, isn't very hard. For pac4j, being a client library, only the part about validation would apply. All the components needed to implement this validation are already included in the Nimbus SDK. |
The current implementation does not comply to RFC 9068, but it works for the JWT access tokens generated by the CAS server (they have the "nonce" claim for example). I will cut the 5.4.5 release to fix the NPE. If someone needs a true RFC9068 validation, a PR will be welcome. |
The risk lies in the fact that a consumer of a profile has no way of knowing whether a profile attribute originates from the verifiable and validated ID token or was just some random claim from the access token. The OAuth2 spec states that access tokens should be opaque to the client; that is, the client should not make any assumptions on the format or contents of such a token. RFC 9068 (https://www.rfc-editor.org/rfc/rfc9068.html#name-privacy-considerations) goes even further in this regard:
Therefore any RFC 9068 compliant client implementation MUST NOT inspect the contents of the access token. The JWT RFC 7519 describes the validation of the |
Access tokens can be issued as JWTs. They are not always opaque and they can be made into a JWT using a variety of ways, supported by many IDPs and in many cases required by many frameworks and consumed in a variety of ways including client applications that may or may not be treated as resource servers. You can customize this bit as you like with options and settings, but the overall core functionality must remain in place, and there is no literature that would invalidate this, as evidenced by many many certified OIDC implementations. |
To clarify things better:
|
@mmoayyed It is true that access tokens can be JWTs, that's what RFC 9068 describes. However, even though the client is technically able to inspect such a token, RFC 9068 clearly states that it MUST NOT do so. It must still treat the token as opaque. The OAuth2.1 draft also explains this: IMHO pac4j should not enable such processing by default. I do not have an issue with pac4j providing functionality to do this processing, but it should be disabled by default. Processing of claims in an access token should only be done if there is an agreement between the client and the authorization server about the format of the token and the presence of certain claims. And in that case, the client must also perform all validation required by the JWT spec (which includes checking the audience of the token). I can prepare a PR to make this processing optional and disabled by default. |
I have no problem with making this behavior optional and making it be the default. Please do so with a PR. Thank you. |
When OIDC OP produces an access token as JWT, pac4j must be able to extract those claims as well, after verifying the AT. Currently, only ID token claims and profile claims are collected into the profile.