Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
JWT API Authentication not working as expected #2120
According to https://privacyidea.readthedocs.io/en/latest/installation/system/inifile.html#trusted-jwts, API authentication using a JSON Web Token works, but not as expected / initially requested by GWDG (CC to @m0ark and @foobarable): The idea was to be able to impersonate the calling party into an arbitrary user, as long as the JWT signature is trusted (e.g. call GET /user/ and only see the user's own details). This however works only for single users, i.e. those exact usernames that got configured in the
Steps to reproduce
1.Configure PI_TRUSTED_JWT with public Key Kpub, algorithm RS256 and not specify a specifc username
Given the JWT can be verified using a trusted public key Kpub, any username is accepted, given that realm, role and resolver match.
Authentication fails, with a misleading error message that mentiones some failing fallback to an "HS256" algorithm.
This is apparently do to an exact string match in
However, the username comparison should not be exact-string-match. A suggestion for improvement would be a regexp match here.
(as I said, the error message is misleading)