search

ging / fiware-idm

OAuth 2.0-based authentication of users and devices, user profile management, Single Sign-On (SSO) and Identity Federation across multiple administration domains.
https://keyrock-fiware.github.io
MIT License
36 stars 81 forks source link

Bug to access iShare Satellite #323

Closed pierre-josselin closed 1 year ago

pierre-josselin commented 1 year ago

As part of an i4Trust.org experiment, I want to use Keyrock as Authorization Registry.

When Keyrock tries to obtain a token from the iShare satellite, an error occurs:

<html>
<head><title>502 Bad Gateway</title></head>
<body>
<center><h1>502 Bad Gateway</h1></center>
<hr><center>nginx/1.21.6</center>
</body>
</html>

This is because the iShare JWT passed in the client_assertion field is not properly formed:

{
  "iss": "EU.EORI.NL123456789",
  "sub": "EU.EORI.NL123456789",
  "aud": [
    "EU.EORI.NL987654321",
    "https://satellite/connect/token"
  ],
  "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59",
  "exp": 1504683475,
  "iat": 1504683445
}

The problem comes from the aud field. It's an Array when it should be a string, as confirmed by the iShare documentation.

The aud claim MUST contain only the valid iSHARE identifier of the server. Including multiple audiences creates a risk of impersonation and is therefore not allowed.

The token should be formed as follows:

{
  "iss": "EU.EORI.NL123456789",
  "sub": "EU.EORI.NL123456789",
  "aud": "EU.EORI.NL987654321",
  "jti": "378a47c4-2822-4ca5-a49a-7e5a1cc7ea59",
  "exp": 1504683475,
  "iat": 1504683445
}