Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUESTION] When switching to PKCE flow there are error in openidc_load_jwt_and_verify_crypto() and openidc_load_and_validate_jwt_id_token() methods #510

Open
madonar opened this issue Feb 12, 2024 · 1 comment
Open

[QUESTION] When switching to PKCE flow there are error in openidc_load_jwt_and_verify_crypto() and openidc_load_and_validate_jwt_id_token() methods #510

madonar opened this issue Feb 12, 2024 · 1 comment

Comments

@madonar
Copy link

madonar commented Feb 12, 2024
edited

Environment
  • lua-resty-openidc version : 1.21.4.1
  • OpenID Connect provider : PhenixID
Expected behaviour

We are switching from "code" flow to the "pkce" flow for security reasons. When doing so we see errors and are unable to proceed with the implementation. Is there someone who can point out the mistake and help us in this switching?

When a user starts to reach a website the following happens(SSO),
authorization endpoint -> success response
Token endpoint -> success response
jwks endpoint -> success response

After receiving the JWKS, the JWT verification should be successful without errors and the flow should proceed to be able to obtain a user token from the userinfo endpoint. How can I achieve this?

Actual behaviour

After receiving the response from jwks endpoint, the below errors are seen in logs, especially the line "RSA key with id 2LhxLYAqxej8ltPfuqPb1SLP-7g" is the same(including the same id(from cache or similar?)) for several different SSO attempts to log in to the website. Is the RSA key cached and reused everytime? How can we fix this?

[error] 1234953#1234953: *2 [lua] openidc.lua:1006: openidc_load_jwt_and_verify_crypto(): RSA key with id 2LhxLYAqxej8ltPfuqPb1SLP-7g not found,
[error] 1234953#1234953: *2 [lua] openidc.lua:1066: openidc_load_and_validate_jwt_id_token(): id_token '' signature verification failed,

Minimized example

local opts = {
redirect_uri = "/sso/ebx",
discovery = "https://replacedforsecurityreasons-acceptance.se/oidc-basic-pkce-tenant/.well-known/openid-configuration",
client_id = "replacedforsecurityreasons",
client_secret = "replacedforsecurityreasons",
ssl_verify = "no",
timeout = 500,
use_pkce = true,
scope = "openid",
use_nonce = false,
accept_none_alg = true,
keepalive = "yes",
jwt_verification_cache_ignore = true
}
local res, err, tgt_url, session = require("resty.openidc").authenticate(opts)
@madonar
Copy link
Author

madonar commented Feb 12, 2024

debug.log
Attaching the logs(debug mode) with "replacedforsecurityreasons" text replacing IP, URL & large binary data.

@madonar madonar changed the title When switching to PKCE flow there are error in openidc_load_jwt_and_verify_crypto() and openidc_load_and_validate_jwt_id_token() methods [QUESTION] When switching to PKCE flow there are error in openidc_load_jwt_and_verify_crypto() and openidc_load_and_validate_jwt_id_token() methods May 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@madonar