OIDC: Something wrong happens when verifying our internal JWT

[FroMage]

Describe the bug

I just got this issue when trying to log in using Facebook:

org.jose4j.jwt.consumer.InvalidJwtException: JWT processing failed. Additional details: [[17] Unable to process JOSE object (cause: org.jose4j.lang.InvalidAlgorithmException: 'RS256' is not a permitted algorithm.): JsonWebSignature{"alg":"RS256","typ":"JWT","kid":"XXX"}->XXXX]
		at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:264)
		at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:426)
		at org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:171)
		at io.quarkus.oidc.runtime.OidcProvider.verifyJwtTokenInternal(OidcProvider.java:126)
		at io.quarkus.oidc.runtime.OidcProvider.verifySelfSignedJwtToken(OidcProvider.java:90)
		at io.quarkus.oidc.runtime.OidcIdentityProvider.verifySelfSignedTokenUni(OidcIdentityProvider.java:295)
		at io.quarkus.oidc.runtime.OidcIdentityProvider.createSecurityIdentityWithOidcServer(OidcIdentityProvider.java:138)
		at io.quarkus.oidc.runtime.OidcIdentityProvider$3.apply(OidcIdentityProvider.java:129)
		at io.quarkus.oidc.runtime.OidcIdentityProvider$3.apply(OidcIdentityProvider.java:123)

Can we really make internal tokens with an algo we don't permit?

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot]

/cc @pedroigor, @sberyozkin

[sberyozkin]

@FroMage Hmm, but we sign the internal token using the HS256 algorithm. Something is going on, this does not look like the token we create internally (ex, kid is not set for the internal token)

[sberyozkin]

@FroMage It looks like, while the correct assumption is made that it is an internal ID token, the wrong cookie containing some other tenant's token may be picked up. Can you grab the token in the debug mode, in OidcProvider.verifySelfSignedToken() and check its content say at jwt.io ?

[FroMage]

Huh. WTF. I have what looks like a real token now:

{
  "iss": "https://www.facebook.com",
  "aud": "XXX",
  "sub": "XXX",
  "iat": 1642590366,
  "exp": 1642593966,
  "jti": "XXX",
  "nonce": "",
  "at_hash": "XXX",
  "email": "XXX",
  "given_name": "Stéphane",
  "family_name": "Épardaud",
  "name": "Stéphane Épardaud",
  "picture": "https://platform-lookaside.fbsbx.com/platform/profilepic/XXX"
}

How did that happen? Did facebook start support oidc today?

[sberyozkin]

@FroMage Looks like it is indeed returning an IdToken. If you remove id-token-required=false it will start working, or overwrite if using facebook:

quarkus.oidc.facebook.provider=facebook
quarkus.oidc.facebook.authentication.id-token-required=true

CodeAuthenticationMechanism will not create a self-signed token in this case - but during the re-authentication it assumes the token is internal because id-token-required=false.
So yes, removing id-token-required=false will fix it - however I'll try to tighten the code later on for id-token-required=false not to cause side-effects if IdToken is in fact returned by the provider

[FroMage]

Amazing, FB started sending an ID Token. Excellent. We can change the config for known providers. I can make a PR if you want, also with the fix for Apple discussed in #22572 (comment)

[sberyozkin]

@FroMage Re facebook, so if it sends IdToken, does requiting userinfo is still needed ? Can you also please check, may be it now supports the auto-discovery as well so we can drop all those individual facebook endpoint URLs ?

Re apple - I propose to fix it later when quarkus-oidc starts supporting form-post, so for now please set the extra params manually