Security Vulnerability ("python-jose") Fixing Part 2

[ianliuwk1019]

Describe the bug On ticket #1398 , we tried to address most dependabot security vulnerability in FAM code by replacing the "python-jose" library with "PyJwt" library and "authlib". However, there is a file "bcsc_decryption.py" using "python-jose" has complexity for replacing it with other library thus decided to separate the fixing into different ticket. In short, what "bcsc_decryption.py" do is to decrypt the "jwe" token getting from BCSC (from the BCSC's userinfo url) by using the AWS "decrypted_key" (symmetric public key).

In fact, the file "bcsc_decryption.py" seems to be a copy-paste to FAM from 'python-jose' library itself (due to some reason unknown) and not sure if there is any custom adjustment for FAM. The intended attempt to fixing the security vulnerability is as below:

• remove the "bcsc_decryption.py".
• use library "authlib" to decrypt the jwe token instead.

Acceptance Criteria

• [ ] Replace "router_bcsc_proxy.py" on decrypt jwe part with code shown above screenshot and remove dependencies from "bcsc_decryption.py".
• [ ] Remove the need for using python-jose library, instead, using "authlib" library (FAM already has this installed as python package).
• [ ] Understand BCSC custom proxy auth flow works and test new BCSC flow at Tools/Dev space to make sure it works (most likely requires changing Cognito configuration for BCSC IDP provider on several endpoints and also need to have IDIM Welsy's help on reconfigure test environment on their side for callback).
• [ ] Once testing work, re-configure and re-test again when code is deployed to TEST environment.

Additional context Might need to contact Wesley wesley.gilbert@gov.bc.ca for dev configuration so we can test the BCSC login in DEV

[ianliuwk1019]

Questions to Wesley regarding to the bcsc proxy integration testing with BCSC (use FAM DEV environment with BCSC TEST instance). The reply from Wesley:

Hi Ian,

As it’s configured now, the integrations should work to all environments.  I think it’s just as long as put the right parameters in the right initial auth request, it should work on the following URLs.  If any of these need a change/addition let myself or [@Janes, Ryan R CITZ:EX](mailto:Ryan.Janes@gov.bc.ca) know and we can update the configuration.  The JWKS shouldn’t matter, your using the same one for both Dev/Test.

If you need some help creating that auth request let us know.  It’ll be something like this:

[https://idtest.gov.bc.ca/login/oidc/authorize?response_type=code&scope=openid%20address%20profile%20email&client_id=DEVCLIENTID&redirect_uri=TEST_REDIRECT_URI]

Client ID: ca.bc.gov.flnr.fam.dev  (Dev) 
Redirect URLs: [https://bcsctesting.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse],
[https://dev-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse],
[https://prod-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse],
[https://test-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse]

Client ID: ca.bc.gov.flnr.fam.test (TEST)
Redirect URLs: [https://dev-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse],
[https://prod-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse],
[https://test-fam-user-pool-domain.auth.ca-central-1.amazoncognito.com/oauth2/idpresponse]

and Prod only points to Prod.

[ianliuwk1019]

Communicated with Wesley and tried to make BCSC login flow works in FAM DEV (BCSC-TEST) environment (without any code change) so we make sure it works in PROD and also works in DEV (for integration testing purpose).

Currently all BCSC environments are hardcoded with FAM PROD KMS key at BCSC side for encrypt the JWE token.

After several troubleshooting emails, we asked Wesley for (temporary) change in their BCSC-TEST environment to hardcode their FAM jwks request with FAM DEV KMS key. And after some troubleshooting, Wesley has made the setting adjustment into correct BCSC environments("ca.bc.gov.flnr.fam.dev" and "ca.bc.gov.flnr.fam.test")

{"keys":[{"n":"nQAK9NQi2ZwxkLBgrA5BlZHGuSVnGKIYRRRGJJDoJdBn3ahqQXgLtT-kSbJ_IuRr05f2vNGhtXzvJ4V-Zs5tKtMQiOIzSgbzHWnxofJPlg47GX2GmLyYOwHlnzFK9wLY7D7OZX2eZdTEO_YpdWSi4t4W1xq8NY5NODBax-a9XBndU5cy9C0av9BUn12-76IqnmLeJUky4uM9qs2Y_zkgK4WW3N-sJQBHe12wLad4m7vHmc-RdTeNliuP4BEoX-gov9Qgp34hOmK5nMqvDa1DFQKz4Y9RN1PVw2Ik0aDH1z8SMGRW9NjEkbMdQtTW4qgJP3bM5VejeK3Fsx8Wt6LhNQ","e":"AQAB","kty":"RSA","use":"enc","alg":"RS256","kid":"bcscencryption"}]}

This enable FAM DEV can successful have BCSC login flow using BCSC-TEST instance. However, this also means in FAM PROD's BCSC-DEV and BCSC-TEST environment won't work. This is only temporarily until if any team doing BCSC integration needs our FAM PROD's BCSC-TEST then we need to ask Wesley to switch it back to hardcode the key with PROD one.

[ianliuwk1019]

Spent lots of time attempting to replace "python-jose" package for decrypting BCSC jwe token with "authlib" and "joserfc" libraries were not successful. With error like:

2024-07-10T05:38:18.883Z
raise UnsupportedAlgorithmError()

2024-07-11T23:51:47.245Z
ValueError: ('Could not deserialize key data. The data may be in an incorrect format, it may be encrypted with an unsupported algorithm, or it may be an unsupported key type (e.g. EC curves with explicit parameters).', [<OpenSSLError(code=503841036, lib=60, reason=524556, reason_text=unsupported)>])
2024-07-11T23:51:47.245Z
ValueError: Unable to load PEM file. See https://cryptography.io/en/latest/faq/#why-can-t-i-import-my-pem-file for more details. MalformedFraming

These libraries are having issue with using the KMS decrypted "key" from BCSC jwe token and could not decrypt the jwe content.

From the error with using other libraries, it seems that it is indicating something is funny in the decrypted BCSC key itself either not following standard format of jwe key or is not supported algorithm.

Talked to Conrad for more what happened in the past about why the integration code "bcsc_decryption.py" looked like a copy-paste (with modification) from "python-jose" library (there must be a difficult reason), why other libraries don't work, and is there other app successfully using BCSC jwe token. It's been a while for him to remember the details but he did mention he was trying several libraries to make it work and none of them worked, and he also engaged some conversation about this encyption-decryption problem with BCSC team but seems without success, so that's why he was not happy with the ugly code exists to make bcsc integration work with FAM (AWS). Conrad also mentioned that it seems the key/token is double encrypted (which I am not sure what it means, and maybe that's why I saw the key formatting error while using other library?), and he mentioned other apps integrated with BCSC does not do the encryption.

With the fail attempts to replacing the "python-jose" with other libraries and with advice from Conrad from his past experience, it is now decided to still inherit the same old code and ported other code from old library to get rid of the dependency.