search

AzureAD / omniauth-azure-activedirectory

MIT License
50 stars 103 forks source link

Topic/protocol fixes #3

Closed aj-michael closed 9 years ago

aj-michael commented 9 years ago

Four fixes:

  1. The name of the nonce in the session was incorrect due to renaming from azuread to azure-activedirectory.
  2. Removed DEFAULT_SIGNING_KEYS_URL. The signing keys url must be provided as jwks_uri in the openid configuration response.
  3. Check the c_hash in the id token against the authorization code, per OpenId Connect Core 3.3.2.11.
  4. Fail with a JWT::VerificationError if there is no x5c or the kids don't match. Previously this was failing with an ambiguous NoMethodError.
aj-michael commented 9 years ago

From my (limited) understanding of the SHA2 family, we need to differentiate between sha256, sha384 and sha512. OpenSSL::Digest.new takes the name of the hashing algorithm as a string to its constructor, so we have to map RS256 -> sha256, ES384 -> sha384, etc. I've added a comment to clarify.

I also added a commit that sets the default to RS256 if no algorithm is present in the token header.

brentschmaltz commented 9 years ago

:shipit: