Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

proxy tries to verify OIDC access_token using the reva jwt secret #3841

Closed
rhafer opened this issue May 20, 2022 · 1 comment
Closed

proxy tries to verify OIDC access_token using the reva jwt secret #3841

rhafer opened this issue May 20, 2022 · 1 comment
Assignees
@rhafer
Labels
Type:Bug
Milestone
2.0.0 General Ava...

Comments

@rhafer
Copy link
Contributor

rhafer commented May 20, 2022

ocis/extensions/proxy/pkg/middleware/oidc_auth.go

Line 130 in a0f5c7a

return []byte(m.TokenManagerConfig.JWTSecret), nil

This can't work. We'd need to fetch the keys from the jwks_uri (as defined in the .well-know/openid-configuration) and use that for verifying the access_token signature or, depending on the IDP use the introspection endpoint to extract the needed data from the access token. I think currently this "just" breaks the userinfo cache.
@rhafer
Copy link
Contributor Author

rhafer commented Jul 12, 2022

addressed in #4135

@rhafer rhafer self-assigned this Jul 22, 2022
rhafer added a commit to rhafer/ocis that referenced this issue Jul 22, 2022
@rhafer
Try to verify access_token as JWT and extract expiry
506db55 
We try to parse the access token as a JWT now. Verifying the signature
using the keys downloaded from the jwks_uri of the IDP. Currently we
only use it to extract the expiry information from the JWT. This could
be reworked to extract other claims from the token for authorization
purposes.

Fixes: owncloud#3841
rhafer added a commit to rhafer/ocis that referenced this issue Jul 25, 2022
@rhafer
Try to verify access_token as JWT and extract expiry
9da087e 
We try to parse the access token as a JWT now. Verifying the signature
using the keys downloaded from the jwks_uri of the IDP. Currently we
only use it to extract the expiry information from the JWT. This could
be reworked to extract other claims from the token for authorization
purposes.

Fixes: owncloud#3841
rhafer added a commit to rhafer/ocis that referenced this issue Jul 25, 2022
@rhafer
Try to verify access_token as JWT and extract expiry
f0e33c0 
We try to parse the access token as a JWT now. Verifying the signature
using the keys downloaded from the jwks_uri of the IDP. Currently we
only use it to extract the expiry information from the JWT. This could
be reworked to extract other claims from the token for authorization
purposes.

Fixes: owncloud#3841
rhafer added a commit to rhafer/ocis that referenced this issue Aug 2, 2022
@rhafer
Try to verify access_token as JWT and extract expiry
9220f8b 
We try to parse the access token as a JWT now. Verifying the signature
using the keys downloaded from the jwks_uri of the IDP. Currently we
only use it to extract the expiry information from the JWT. This could
be reworked to extract other claims from the token for authorization
purposes.

Fixes: owncloud#3841
@rhafer rhafer closed this as completed in 454cea8 Aug 3, 2022
@micbar micbar added this to the 2.0.0 General Availability milestone Aug 8, 2022
@micbar micbar mentioned this issue Aug 11, 2022
Closed
26 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rhafer rhafer

Labels
Type:Bug
Projects
Infinite Scale Team Board
Archived in project
Milestone
2.0.0 General Availability
Development

No branches or pull requests
3 participants
@rhafer @micbar @wkloucek