Open WiredWonder opened 10 months ago
Any chance of a confirmation from anyone - owner or user?
We wanted to remind you that we’re working on a security enhancement feature to update the key used for signing the ID token issued during the OpenID Connect flow. This feature will be implemented on March 1, 2024. We are contacting you because we would like you to review your OpenID flow to determine if the ID token validation is implemented correctly or if you need to take action.
What is happening?
Our team is making a change to start returning more than one key in the response array returned by the oauth.platform.intuit.com/op/v1/jwks endpoint.
How does this impact me?
In the OpenID Connect flow, after making the call to exchange your auth code for an ID token, your app needs to validate the ID token and verify that the signing authority for responses is from Intuit. The recommended way to check the signature is to scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header.
If you have implemented logic to validate the ID token, ensure you are looping through the array elements and finding the element that matches the kid value from the ID token header.
If your logic doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then your implementation may break due to the changes being implemented.
How can I validate whether I'm impacted?
Validate if you are using Intuit’s OpenID Connect. If you have not implemented OpenID Connect, this change does not impact you.
Validate if you have implemented ID token validation. If you have not implemented ID token validation, this change does not impact you.
Validate your ID token implementation:
a. If you’re using Intuit’s official Java SDK or PHP SDK to perform ID token validation, this change does not impact you. We still recommend that you test all flows.
b. If you’re using a version of Intuit’s .NET SDK prior to v14.6.3.6, you are impacted because the code in the older versions of this SDK did not loop through the array of public keys.
c. If you're using a version of the Ruby oAuth client library prior to v1.0.3, you are impacted because the code did not loop through the array of public keys.
d. If you’re not using any of the SDKs mentioned above, check your code to see if you are looping through the array of keys or if you are picking the first element. If your code doesn’t loop through all the array elements and/or looks for only a specific array element for a match for kid, then you are impacted.
What do I need to do next?
If you are using our Java SDK, then no action is required.
If you are using our PHP SDK, then no action is required.
If you are using our .Net SDK, then update it to the latest version v14.6.3.6.
If you are using the Ruby oAuth client, then install and use the latest version, v1.0.3.
If you are not using any of our SDKs and validating the ID token through your custom code, please ensure you are following all the instructions given here, paying special attention to the instruction “Scan through the array of keys at oauth.platform.intuit.com/op/v1/jwks for the public key information. The kid value should match the value that was returned in the ID token header.”
If you are not validating the ID token, then your application will continue to work. However, you must validate the ID token to avoid man-in-the-middle impersonation.
When do I need to take action?
Depending on your usage of our SDK or your custom code, you need to take action (as described above) before March 1, 2024.
If I have more questions, how can I get help?
Same here. I would like to know as well.
On second read this looks more related to the Open ID connect flow, vs using just Oauth and the QBO API I think. But I'll let the consolibyte engineers answer that.
So, are we ok or not? When May 3 rolls over, does everything stop? Do they have a test environment at intuit we can check it against?
I have not had a definitive answer. I am not aware of whether the sandbox is already enforcing the new key either sorry.
As an FYI, things are working as expected for me - I haven't seen any issues in my workflows.
Is this SDK impacted by this change from Intuit?