search

greenpau / caddy-security

🔐 Authentication, Authorization, and Accounting (AAA) App and Plugin for Caddy v2. 💎 Implements Form-Based, Basic, Local, LDAP, OpenID Connect, OAuth 2.0 (Github, Google, Facebook, Okta, etc.), SAML Authentication. MFA/2FA with App Authenticators and Yubico. 💎 Authorization with JWT/PASETO tokens. 🔐
https://authcrunch.com/
Apache License 2.0
1.4k stars 70 forks source link

breakfix: id_token signed with unsupported algorithm #221

Open routerino opened 1 year ago

routerino commented 1 year ago

Describe the issue

Attempting OIDC integration with Fusion Auth. Previously successful setting up with Keycloak. Getting the following error:

{"level":"warn","ts":1679792857.4263055,"logger":"security","msg":"Authentication failed","session_id":"k7BE2j8WU85wfLSuH8C85WbxrxNFjTDtqvt2FxPoAi2","request_id":"d6c479e7-1776-4540-904f-35ee764c69c4","error":"failed validating OAuth 2.0 access token: OAuth 2.0 failed to parse id_token: OAuth 2.0 id_token signed with unsupported algorithm: HS256"}

Configuration

{
    # do not attempt to install certs on the docker container
    skip_install_trust

    # security settings
    order authenticate before respond
    order authorize before basicauth

    security {
        oauth identity provider <mydomain> {
            delay_start 5
            driver generic
            realm <mydomain>
            client_id 3e6c5bd0-e0fa-431d-b588-c06c10062578
            client_secret <redacted>
            scopes openid email profile
            metadata_url https://login.<mydomain>/.well-known/openid-configuration/a17c408d-98d6-2805-711d-03f6fcd191cd
        }

        authentication portal defaultAuth {
            crypto default token lifetime 3600
            crypto key sign-verify <redacted>
            enable identity provider <mydomain>
            cookie domain *.<mydomain>.com.au
            ui {
                links {
                    "dev.<mydomain>.com.au" https://dev.<mydomain>.com.au/?folder=/mnt/containers icon "las la-star"
                    "dev-hs-ui.<mydomain>.com.au" https://dev-hs-ui.<mydomain>.com.au/ icon "las la-star"
                    "My Identity" "/whoami" icon "las la-user"
                }
            }
            transform user {
                match origin <mydomain>
                action add role authp/user
            }
        }

        authorization policy defaultPolicy {
            set auth url https://sso.<mydomain>.com.au
            allow roles authp/user
            crypto key verify <redacted>
        }
    }
}

Version Information

Provide output of caddy list-modules -versions | grep git below:

dns.providers.cloudflare
http.authentication.providers.authorizer
http.handlers.authenticator
security

  Non-standard modules: 4

Expected behavior

Successful Login

routerino commented 1 year ago

As a note it does appear (as the error code implies) that fusionauth defaults to HS256 for signing its tokens. By downgrading to RSA256 the problem is solved, but going to leave this open as a compatibility problem.