Adding support for OpenID Connect Implicit Flow breaks my OAuth2 implicit flow client transaction

[patfrat]

Hello,

Since you update with the support of OpenID Connect implicit flow, my client app configured to work with OAuth2 implicit flow and a MitreID OpenID Connect Server does not work anymore and throws me this error : No public key found to verify signature

My openID server send me access_token and id_token ! Using previous version 0.4.2 was working with OAuth2 implicit flow !

I am trying now to see how can i reconfigure my client and/or my server to work together again ! I have no issuer, subject and pub-key options to add yet to my client configuration !

Is it a mitreID issue or a misconfiguration !

Thanks in advance !

[faraway]

hi @patfrat, sorry to hear that. I don't know much about MitreID OpenID Connect Server, but i assume that an identity provider that is using OpenID Connect. So how was your id_token's signature getting verified before ? (i.e. in version 0.4.2), and how was your access_token getting verified ? Were they ever being validated ? As in version 0.4.2, it's only OAuth2, which won't validate the token much (except the expiration time), unless you had extra customized code.

[faraway]

At this point it looks like more of a config issue. If you have a sample id_token (but make sure it doesn't contain sensitive information of your business), I can also help take a look.

[patfrat]

I have decoded my id_token and it contains these fields. I have hidden some of them here with xxx

[{"auth_time"=>1452068198, "exp"=>1452068798, "sub"=>"xxx", "at_hash"=>"xxx", "aud"=>["xxx"], "iss"=>"http://localhost:8080/ldap-openid-connect-server/", "iat"=>1452068198, "kid"=>"rsa1"}, {"alg"=>"RS256", "kid"=>"rsa1"}]

[patfrat]

With OAuth2 implicit flow, i receive acces_token in frontend client from the OpenID server, access_token that i set to all http request headers sent to the backend API. The backend then check the validity of this access_token with the OpenID server, get the user profile and check user authorizations before sending the response to the frontend.

Now, with the last oauth-ng version, access_token is set to null because of missing public key.

[patfrat]

I have found an uri on my OpenID server : http://localhost:8080/ldap-openid-connect-server/jwk It offers a hash containing an array of keys ...

{"keys":[{"alg":"RS256","e":"WXYZ","n":"xxxxxxxxxxxxxxxxxx...","kty":"RSA","kid":"rsa1"}]}

Is it my pub-key that i have to used with oauth-ng ?

[patfrat]

I begin to understand how it has to work with OpenID Implicit flow. Now that i have my pubkey in JWK Format, i have successfullly configured my client adding issuer, subject and pub-key parameters

But your documentation said:

For OpenID Connect Implicit Flow only. The public key to verify the id_token signature. It could be .pem format or JWK format. For signing algorithm (usually specified by alg in the id_token header), currently only RS256, RS384, or RS512 is supported. If not set, then the id_token itself should carry the public key, or the url which can be used to retrieve the public key.

JWK Format OK ... but it seems that the pubkey is passed to KEYUTIL.getKey as string and not as an object !

If i modify rsaverifyJWS method changing this line var rsaKey = KEYUTIL.getKey(pubKey); to this var rsaKey = KEYUTIL.getKey(JSON.parse(pubKey));

It works !

[faraway]

@patfrat You're absolutely right ! I'm actually doing the same testing at my side !

[patfrat]

And it seems that i have only to set the pub-key parameters, issuer and subject are optional for me. Using just the pub-key with JSON.parse patch and it works !

[faraway]

@patfrat You're welcome to send a pull request to fix this issue. Sorry about that. Or as a workaround (without code change), we can convert your JWK key to a PEM string. Some tool available here: https://www.npmjs.com/package/jwk-to-pem So your JWK will be converted to a pem string looks similar to this:

-----BEGIN RSA PUBLIC KEY----
MIIBCgKCAQEAofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd/wWJcyQoTbji9k0l8W2
6mPddxHmfHQp+Vaw+4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL+yRT+SFd2lZS+pCgNMs
D1W/YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb/7OMg0LOL+bSf63kpaSHSXndS5
z5rexMdbBYUsLA9e+KXBdQOS+UTo7WTBEMa2R2CapHg665xsmtdVMTBQY4uDZlxv
b3qCo5ZwKh9kG4LT6/I5IhlJH7aGhyxXFvUK+DWNmoudF8NAco9/h9iaGNj8q2et
hFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQIDAQAB
-----END RSA PUBLIC KEY-----

Then you can configure it as pub-key="-----BEGIN RSA PUBLIC KEY-----MIIB...AQAB-----END RSA PUBLIC KEY-----"

[patfrat]

jwk-to-pem is not available via bower and i have to use it with my angularjs frontend.

jsrasign attempt to get an object for a JWK formated public key https://kjur.github.io/jsrsasign/api/symbols/KEYUTIL.html#.getKey

Is there another tool that i can use instead of jwk-to-pem ?

[faraway]

I haven't really found out any other lightweight tool that does this job. Maybe we should do more search. Otherwise if you can wait for a little, I can fix this issue (the "Json.parse" patch) and hopefully it can be merged very soon.

[patfrat]

I can wait ! I will try to test what can be changed in rsaverifyJWS method to dectect the pubkey format Thank you !

[patfrat]

i can also convert my pubkey in my config file ... ok It could be acceptable. It's not really a problem to have or not jwk-to-pem in my frontend project !

[faraway]

Wonderful ! Thank you for bringing this issue up. MitreID seems to have a pretty good implementation on the server side of OpenID Connect spec. I didn't know it. Maybe I should use that and build some samples. Thank you again !

[patfrat]

I have tried successfully to add JWK support like this using KJUR already present in your project.

  var rsaVerifyJWS = function (jws, pubKey, alg) {
    /*
      convert various public key format to RSAKey object
      see @KEYUTIL.getKey for a full list of supported input format
     */
    if (KJUR.jws.JWS.isSafeJSONString(pubKey)) {
      pubKey = JSON.parse(pubKey);
    }
    var rsaKey = KEYUTIL.getKey(pubKey);

    return KJUR.jws.JWS.verify(jws, rsaKey, [alg]);
  };

[patfrat]

I can confirm that Fix JWK format support of OIDC public key #113 works for me ! Thank you very much ! Waiting now for the merge !