IdentityModel / oidc-token-manager

Apache License 2.0
51 stars 36 forks source link

Error: RSA Keys Empty #51

Closed nathanhokanson closed 8 years ago

nathanhokanson commented 8 years ago

I have a simple SPA based very loosely on the https://github.com/GeertHuls/SecuredApi app, although I have simplified the js a little for testing purposes. I am able to authenticate to my OpenID Connect server , but when I call the processTokenCallbackAsync with the hash I get the error listed in the subject line. I don't see anything in the documentation about needing RSA keys installed, but I might be missing something.

Here is my javascript:

;(function(angular){ "use strict"; angular.module("authTest", ["ngRoute"]) .factory("tokenManager", tokenManager) .controller('loginController', loginController) .controller("visualizationController", visualizationController) .run(['$location', 'tokenManager', function($location, tokenManager) { var hash = $location.path(); if (hash){ // take off the first character, for some reason $location is adding a // / in front of the hash. $location.hash() doesn't return the hash

    var results = tokenManager.processTokenCallbackAsync(hash.substring(1, hash.length -1)).then(
      function(response){
        console.log("Success processing token");
      },
      function(error){
        console.log("Error:  " + error);
      }
    );
  }
}])

; function tokenManager ($browser) {

var that = this;

var config = {
  client_id: "@!A327.AD27.2230.958B!0001!8CD6.E534!0008!3BFF.B2A2",
  authority: "https://nathan-desktop.<domain>.net/",
  redirect_uri: window.location.protocol + "//" + window.location.host + $browser.baseHref() + "/new-ui/index.html",
  post_logout_redirect_uri: window.location.protocol + "//" + window.location.host + $browser.baseHref() + "/new-ui/index.html",
  response_type: "id_token token",
  scope: "openid profile email roles fox",
  silent_redirect_uri: window.location.protocol + "//" + window.location.host + $browser.baseHref() + "frame.html",
  silent_renew: true
};

var manager = new OidcTokenManager(config);

var tokenExpired = function () {
  manager.removeToken();
};

var tokenObtained = function() {
  console.log("Obtained token:  " + manager.id_token);
}

manager.addOnTokenExpired(tokenExpired);
manager.addOnTokenObtained(tokenObtained);
manager.addOnSilentTokenRenewFailed(tokenExpired);

return manager;

}

function loginController(tokenManager) { var vm = this;

    vm.login = function () {
        tokenManager.redirectForToken();
    };

    vm.logout = function () {
        tokenManager.redirectForLogout();
    };

}

function visualizationController(tokenManager) { var vm = this; vm.id_token = tokenManager.id_token; vm.access_token = tokenManager.access_token; }

})(window.angular);

nathanhokanson commented 8 years ago

A little more information: When debugging the line that returns the error of RSA empty keys (7948 in the version I am using) it appears to be looking for a key.x5c array, which does not exist in the first item returned from the server I am using (it is gluu). The algorithm is RS256, so I don't know if that affects anything.

brockallen commented 8 years ago

thx -- this is an area that needs beefing up. can you provide me with the public URL for their metadata endpoint?

nathanhokanson commented 8 years ago

https://idp.gluu.org/.well-known/openid-configuration

That is the public endpoint. Is there anything I can do to help? I don't have much experience with OpenID connect (which is why I wanted to use your library, :) ) but I am pretty good at JavaScript.

brockallen commented 8 years ago

I can try to look into it next week. This is the important line of code:

https://github.com/IdentityModel/oidc-client/blob/master/oidc-client.js#L174

what it should do is loop thru all the items (keys) in the array and check each one (probably selecting the right kid, but that's more details).

brockallen commented 8 years ago

BTW it's this data it's reading: https://idp.gluu.org/oxauth/seam/resource/restv1/oxauth/jwks

nathanhokanson commented 8 years ago

So I finally found out that the newer version of the server I am using doesn't provide the x5c key any more. This is one of the keys (there are six in total) that I am getting (with key & id removed for brevity):

{
    "kty": "RSA",
    "kid": "<keyid>",
    "use": "sig",
    "alg": "RS256",
    "n": "<keydata>",
    "e": "AQAB"
}

The server supports several algorithms (RS256, RS384, RS512, ES256, ES384, ES512) but none of them have an x5c field. Is there an alternate way to decrypt the token given that we don't have the x5c key?

Thanks,

Nathan

brockallen commented 8 years ago

Yep, this is something I need to fix/enhance in the oidc-client library.

IwalkAlone commented 8 years ago

Ran into this same issue when working with https://login.salesforce.com/.well-known/configuration Keys are here - https://login.salesforce.com/id/keys, same structure as the one @nathanhokanson is getting

cmartin81 commented 8 years ago

+1

brockallen commented 8 years ago

This has been addressed in the oidc-client-js rework here: https://github.com/IdentityModel/oidc-client-js/issues/2 and the issue (that I forgot about) that was tracking this fix: https://github.com/IdentityModel/oidc-client-js/issues/10