Firebase/JWT <6 is considered security risk

bshaffer / oauth2-server-php

A library for implementing an OAuth2 Server in php

http://bshaffer.github.io/oauth2-server-php-docs

MIT License

3.26k stars 950 forks source link

Firebase/JWT <6 is considered security risk #1043

Closed jasverix closed 1 year ago

jasverix commented 1 year ago

Update the recommended version and fix the code. The new versions of Firebase/JWT has namespaced classes.

jasverix commented 1 year ago

https://github.com/Roave/SecurityAdvisories/issues/106

jasverix commented 1 year ago

https://www.cve.org/CVERecord?id=CVE-2021-46743

jasverix commented 1 year ago

Attempted to run this branch locally and it did not work at all, the $key is null and it fails. Need to work through this more.

jasverix commented 1 year ago

JwtAccessToken tries to decode the access token without any key to fetch the client_id and that does not work in new FirebaseJwt, it needs the key. I made my own variant in our project that fetches access token from PDO storage to get the client_id and then decodes it. Unsure if it is something that I can commit, as it is a little hacky, and then the JwtAccessToken requires the PDO storage in constructor.

bshaffer commented 1 year ago

The version we are using in our tests is v6.4, so I think there is nothing to be done here.

bshaffer commented 1 year ago

see https://github.com/bshaffer/oauth2-server-php/pull/1049