ghost
commented
2 years ago Never tested HS256, not sure if it is supported. Why do you use this and not RS256?
Greetings Damien
Closed whiemstra closed 2 years ago
ghost
commented
2 years ago Never tested HS256, not sure if it is supported. Why do you use this and not RS256?
Greetings Damien
whiemstra
commented
2 years ago Thx for your reaction. Good question, I think this is the standard algorithm for the software that our company uses at the moment. RS256 is of course possible, but I assumed that HS256 should be supported too. Also because it was mentioned in issue #597
kumaresan-subramani
commented
2 years ago How to chnage algorithm while using angular-oauth2-oidc?. any ref config?
damienbod
commented
2 years ago I would move away from HS256 and use RS256 , this is more secure.
damienbod
commented
2 years ago @kumaresan-subramani I would need to look into this, I never used HS256 and do not plan to use this either, would recommend using RS256 or something better
What Version of the library are you using? 14.0.0 (and also tried 11.2.4 with jsrsasign-reduced lib)
Describe the bug ID token validation fails, because of HS256 algorithm. This was already issued before in: #597
To Reproduce Steps to reproduce the behavior:
[ERROR] 0-efc5a4d4-b505-446c-a4f5-e2f73bc733aa - Error: Cannot infer kty from alg: HS256Expected behavior ID token is successfully validated and User is logged in without any errors
Desktop (please complete the following information):
Additional context This was already issued before in: #597 but I think it was not solved. Because I also tried version 11.2.4 which gave me a different error:
KJUR.crypto.Mac unsupported password typeAfter debugging this is present in the jsrsasign-reduced lib 8.0.0.15
Also I found some comments before the validateSignatureIdToken, which already states that HS256 is not supported:
// id_token C6: The alg value SHOULD be RS256. Validation of tokens using other signing algorithms is described in the// OpenID Connect Core 1.0 [OpenID.Core] specification.Thanks!