search

coreos / go-oidc

A Go OpenID Connect client.
Apache License 2.0
1.98k stars 398 forks source link

Error in parsing remoteKeySet endpoint #422

Open s1ovac opened 7 months ago

s1ovac commented 7 months ago

Could be error inside parsing remoteKeySet After library update to v3.10.0 from 3.9.0 got this error in parsing remote key. oidc: invalid userinfo jwt signature fetching keys oidc: failed to decode keys: got Content-Type = application/json, but could not unmarshal as JSON: illegal base64 data at input byte 342 {"keys":[{"kid":"unique-key-identifier","use":"sig","alg":"RS256","kty":"RSA","e":"AQAB","n":"qssJQDlZeVfdJLTZP_pJl_1WfXXFwOc48L_sWnKloogwxTZ9SBIdn5k9mzSHQ7qsBCELO5imdZU5ubCxfN_DTcILFD3uVw1_H2zDlM2JdxLXAL6ao1pcTAQ3jEOYC8z1m6Nf8gEhnmQenQFliJM1Rma8bfs9-OOrVU2SdMiyBSFZ0g-KuUYIdAHrtcnmJhu9QHpqqvBY6VzyKLENShbWf1lM_fBqDhatdieiNgCZhRvxvfM4ZPrIKF5DCIw34ROp4ZoSkRBA6LVINDTHn2NFQ9_CLAyU8sLKJFEQkFgcOn85mAUD46rc1Vlw95Uc_JiZfPYe14QybQutQmIUsd5SmQ=="}]}

ericchiang commented 7 months ago

Hey @s1ovac, it looks like this is was caused by upgrading https://github.com/go-jose/go-jose #421 , which does the serialization for these types. I don't believe the key you posted is a valid key according to the spec? The JOSE specs use non-padded base64.

https://www.rfc-editor.org/rfc/rfc7515.html#section-2

Base64 encoding using the URL- and filename-safe character set defined in Section 5 of RFC 4648 [RFC4648], with all trailing '=' characters omitted

See one of the examples from the JWK spec: https://www.rfc-editor.org/rfc/rfc7517.html#page-25

Or https://www.googleapis.com/oauth2/v3/certs

{
  "keys": [
    {
      "kty": "RSA",
      "use": "sig",
      "e": "AQAB",
      "n": "vdtZ3cfuh44JlWkJRu-3yddVp58zxSHwsWiW_jpaXgpebo0an7qY2IEs3D7kC186Bwi0T7Km9mUcDbxod89IbtZuQQuhxlgaXB-qX9GokNLdqg69rUaealXGrCdKOQ-rOBlNNGn3M4KywEC98KyQAKXe7prs7yGqI_434rrULaE7ZFmLAzsYNoZ_8l53SGDiRaUrZkhxXOEhlv1nolgYGIH2lkhEZ5BlU53BfzwjO-bLeMwxJIZxSIOy8EBIMLP7eVu6AIkAr9MaDPJqeF7n7Cn8yv_qmy51bV-INRS-HKRVriSoUxhQQTbvDYYvJzHGYu_ciJ4oRYKkDEwxXztUew",
      "kid": "09bcf8028e06537d4d3ae4d84f5c5babcf2c0f0a",
      "alg": "RS256"
    },
    {
      "e": "AQAB",
      "kty": "RSA",
      "use": "sig",
      "alg": "RS256",
      "kid": "adf5e710edfebecbefa9a61495654d03c0b8edf8",
      "n": "y48N6JB-AKq1-Rv4SkwBADU-hp4zXHU-NcCUwxD-aS9vr4EoT9qrjoJ-YmkaEpq9Bmu1yXZZK_h_9QS3xEsO8Rc_WSvIQCJtIaDQz8hxk4lUjUQjMB4Zf9vdTmf8KdktI9tCYCbuSbLC6TegjDM9kbl9CNs3m9wSVeO_5JXJQC0Jr-Oj7Gz9stXm0Co3f7RCxrD08kLelXaAglrd5TeGjZMyViC4cw1gPaj0Cj6knDn8UlzR_WuBpzs_ies5BrbzX-yht0WfnhXpdpiGNMbpKQD04MmPdMCYq8ENF7q5_Ok7dPsVj1vHA6vFGnf7qE3smD157szsnzn0NeXIbRMnuQ"
    }
  ]
}

go-jose now uses a non-padded parser rather than lopping off the "=" characters:

What provider are you hitting this with? Can you open a bug against them?