search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
220 stars 62 forks source link

Microsoft Identity JWKS "alg" issue #246

Closed erik-h closed 7 months ago

erik-h commented 7 months ago

We're using Istio authservice's OIDC functionality with Microsoft Identity/Entra as the identity provider. After login, the authservice logs display the error:

level=error msg="error verifying id token with fetched jwks" x-request-id="..." scope="authz" type="oidc" session-id="..." error="could not verify message using any of the signatures or keys"

Microsoft's JWKS keys don't contain an "alg" object key that the github.com/lestrrat-go/jwx/v2/jws library assumes will be there by default, used to determine which key to use for verification.

I found that changing the jws.WithKeySet() call on this line to jws.WithKeySet(jwtSet, jws.WithInferAlgorithmFromKey(true)) solves the issues by inferring the algorithm to use.

Could authservice add some sort of configuration option to allow for the algorithm key to be inferred like this? Without it, it doesn't look like it's possible to use Entra as an identity provider.

nacx commented 7 months ago

Thanks for reporting! Adding a config option makes total sense. I'd keep it off by default, as it's more secure, but allow enabling via config. Given that you've already played with the code, do you want to try opening a PR to address this?

sergicastro commented 7 months ago

Hey, I've been digging a bit on how lestrrat-go/jwx/v2 uses the WithInferAlgorithmFromKey option and I think we can use it by default, with no additional configuration option.

The option enables this part of the code: https://github.com/lestrrat-go/jwx/blob/v2.0.21/jws/key_provider.go#L127 which checks if the algorithm is given in the tokens headers or checks all the possible algorithms for the key type.

But this is a fallback in case the algorithm is not present in the JWKS key itself, since it first checks that here: https://github.com/lestrrat-go/jwx/blob/v2.0.21/jws/key_provider.go#L117

Feel free to open a PR adding it and please add a test case here with a key set and a token matching your case.

Thanks!

erik-h commented 7 months ago

Thanks for the responses! I've created a PR: #247. I'm new to Go so I wasn't quite sure how best to lay out the test - let me know if you want me to tweak that at all.

nacx commented 7 months ago

Fixed in https://github.com/istio-ecosystem/authservice/pull/247