Critical: Signature is not verified

[erikbra]

In JWT.java, only the payload (claims) of the JWT token is read. This means that no verification of the signature is performed. In other words, anyone can modify the token and claim to be anyone.

Signature verification needs to be added.

[jamescon]

Are there any plans to fix this?

[erikbra]

@jamescon, I haven't heard anything since I reported the issue. @ekoshkin has not responded. I had jo quit using the plugin for this particular reason. I have filed another pull request on the project, #5, which fixes issue #3, but haven't heard anything on that one either. So I'm a little reluctant to fix this issue and file a pull request, if no one is going to respond to that one either.

It's a bit sad, because the functionality is a gem. Do you have any good writeups on how to verify the JWT signature against Azure AD, @jamescon? We need to get the public key in a backchannel, right?

[sballarati]

Hi, it seems that the Java JWT library can be used to fix this issue: https://github.com/jwtk/jjwt

Thanks, Sebastian

[ghost]

Hi @erikbra , @jamescon! AFAIK public key used to validate JWT signatures is global (for all AAD's running under all registered user accounts). So I can't clarify what is the additional value to implement signature checking in case we already use SSL connection to Azure login endpoint, Please correct me if I wrong.

[erikbra]

You must validate that the message has not been tampered with. You validate that the message has not been tampered with by validating the message signature.

Now I can pretend to be anyone in my organization by editing the JWT before posting it to Teamcity. (Using e.g. Fiddler). The signature is then invalid, but we don't notice.

11. jun. 2015 15.37 skrev "Evgeniy Koshkin" notifications@github.com:

Hi @erikbra https://github.com/erikbra , @jamescon https://github.com/jamescon! AFAIK public key used to validate JWT signatures is global (for all AAD's running under all registered user accounts). So I can't clarify what is the additional value to implement signature checking in case we already use SSL connection to Azure login endpoint, Please correct me if I wrong.

— Reply to this email directly or view it on GitHub https://github.com/ekoshkin/teamcity-azure-active-directory/issues/6#issuecomment-111138123 .

[erichexter]

Sounds like a pull request.

[erikbra]

Sorry, I haven't been able to followup on this, I have looked briefly at the Jawa JWT library that @sballarati mentions. It looks like it can do the job. What are your feelings on bringing in an external library dependency, @ekoshkin? I would prefer using an actively maintained JWT library over taking in the portions we need. It makes maintaining the code easier.

I am a bit time challenged, but I might be able to help solve this if we can agree on how to solve it. This class (with the dependencies, of course), looks promising: https://github.com/jwtk/jjwt/blob/master/src/main/java/io/jsonwebtoken/impl/DefaultJwtParser.java

[ghost]

@erikbra using JWT library looks good to me

[jfatta]

@erikbra I submitted https://github.com/ekoshkin/teamcity-azure-active-directory/pull/20 to solve this. Thanks.