Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JWT API Authentication not working as expected #2120

Closed
martinhaase opened this issue Mar 20, 2020 · 2 comments
Closed

JWT API Authentication not working as expected #2120

martinhaase opened this issue Mar 20, 2020 · 2 comments

Comments

@martinhaase
Copy link

@martinhaase martinhaase commented Mar 20, 2020

Top-level intent

According to https://privacyidea.readthedocs.io/en/latest/installation/system/inifile.html#trusted-jwts, API authentication using a JSON Web Token works, but not as expected / initially requested by GWDG (CC to @m0ark and @foobarable): The idea was to be able to impersonate the calling party into an arbitrary user, as long as the JWT signature is trusted (e.g. call GET /user/ and only see the user's own details). This however works only for single users, i.e. those exact usernames that got configured in the pi.cfg in the PI_TRUSTED_JWT array. For a site that has thousands of users this will not work, since you cannot list them statically in any Config file.

Steps to reproduce

1.Configure PI_TRUSTED_JWT with public Key Kpub, algorithm RS256 and not specify a specifc username
2.Make A JWT according to the docs, sign it with private key Kpriv, and include a username="userA"

Expected outcome

Given the JWT can be verified using a trusted public key Kpub, any username is accepted, given that realm, role and resolver match.

Actual outcome

Authentication fails, with a misleading error message that mentiones some failing fallback to an "HS256" algorithm.

This is apparently do to an exact string match in verify_auth_token in privacyidea/api/lib/utils.py on the four variables

  • username,
  • realm,
  • role,
  • resolver.

However, the username comparison should not be exact-string-match. A suggestion for improvement would be a regexp match here.

Configuration

  • privacyIDEA version: 3.2.2
  • Installation method: (from Ubuntu packages, github, PyPI, ...) pip
  • Python version: 2.7
  • Operating system: CentOS7
  • Webserver: Apache 2.4
  • Token database: (MySQL, PostgreSQL, ...) sqllite

Log file

(as I said, the error message is misleading)

[2020-03-18 09:53:44,547][3652][139812772095744][DEBUG][privacyidea.api.before_after:84] Begin handling of request u'/user/?'
[2020-03-18 09:53:44,548][3652][139812772095744][ERROR][privacyidea.app:1891] Exception on /user/ [GET]
Traceback (most recent call last):
  File "/opt/privacyidea/lib/python2.7/site-packages/flask/app.py", line 2446, in wsgi_app
    response = self.full_dispatch_request()
  File "/opt/privacyidea/lib/python2.7/site-packages/flask/app.py", line 1951, in full_dispatch_request
    rv = self.handle_user_exception(e)
  File "/opt/privacyidea/lib/python2.7/site-packages/flask/app.py", line 1820, in handle_user_exception
    reraise(exc_type, exc_value, tb)
  File "/opt/privacyidea/lib/python2.7/site-packages/flask/app.py", line 1947, in full_dispatch_request
    rv = self.preprocess_request()
  File "/opt/privacyidea/lib/python2.7/site-packages/flask/app.py", line 2241, in preprocess_request
    rv = func()
  File "/opt/privacyidea/lib/python2.7/site-packages/privacyidea/api/auth.py", line 349, in decorated_function
    check_auth_token(required_role=["user", "admin"])
  File "/opt/privacyidea/lib/python2.7/site-packages/privacyidea/api/auth.py", line 369, in check_auth_token
    r = verify_auth_token(auth_token, required_role)
  File "/opt/privacyidea/lib/python2.7/site-packages/privacyidea/api/lib/utils.py", line 256, in verify_auth_token
    r = jwt.decode(auth_token, current_app.secret_key, algorithms=['HS256'])
  File "/opt/privacyidea/lib/python2.7/site-packages/jwt/api_jwt.py", line 92, in decode
    jwt, key=key, algorithms=algorithms, options=options, **kwargs
  File "/opt/privacyidea/lib/python2.7/site-packages/jwt/api_jws.py", line 156, in decode
    key, algorithms)
  File "/opt/privacyidea/lib/python2.7/site-packages/jwt/api_jws.py", line 216, in _verify_signature
    raise InvalidAlgorithmError('The specified alg value is not allowed')
InvalidAlgorithmError: The specified alg value is not allowed
@github-actions

This comment has been minimized.

Copy link

@github-actions github-actions bot commented Mar 20, 2020

Thank you for filing an issue and sharing your observations or ideas. Please be sure to provide as many information as possible to help us working on this issue.

@cornelinux

This comment has been minimized.

Copy link
Member

@cornelinux cornelinux commented Mar 20, 2020

You have a misunderstanding. The intention is to have a JWT for a service account, that handles requests for the users. See the detailed specs in #1773.

@cornelinux cornelinux closed this Mar 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.