search

mozilla / mozilla-django-oidc

A django OpenID Connect library
https://mozilla-django-oidc.readthedocs.io
Mozilla Public License 2.0
448 stars 168 forks source link

JWS token verification failed.... even with HS256 set and no other token provider in Keycloak. #382

Open strus38 opened 3 years ago

strus38 commented 3 years ago

Hi

I am deploying Netbox on K8S and I am trying to add OIDC with keycloak to allow SSO on Netbox. So I have done the necessary changes - I guess - but failing on JWT issue even of HS256 is the only token provider on Keycloak! Error: JWS token verification failed.

OIDC_ALLOW_UNSECURED_JWT | True
OIDC_OP_AUTHORIZATION_ENDPOINT | 'https://keycloak.home.lab/auth/realms/master/protocol/openid-connect/auth'
OIDC_OP_JWKS_ENDPOINT | ''
OIDC_OP_TOKEN_ENDPOINT | '********************'
OIDC_OP_USER_ENDPOINT | 'https://keycloak.home.lab/auth/realms/master/protocol/openid-connect/userinfo'
OIDC_RP_CLIENT_ID | 'netbox'
OIDC_RP_CLIENT_SECRET | '********************'
OIDC_RP_IDP_SIGN_KEY | '********************'
OIDC_RP_SIGN_ALGO | 'HS256'
OIDC_VERIFY_JWT | False
OIDC_VERIFY_SSL | False

By the way: OIDC_VERIFY_JWT does not seem to to do anything! Removing OIDC_OP_JWKS_ENDPOINT does not work either

strus38 commented 3 years ago

I also tries with RS256 algorithm, it is failing with: 'bytes' object has no attribute 'verifier' However all seem correct: In payload_data = self.get_payload_data(token, key)

key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'
-- | --
kwargs | {'nonce': 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'}
nonce | 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'
self | <mozilla_django_oidc.auth.OIDCAuthenticationBackend object at 0x7f96fc56e2d0>
token | (b'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUb29seUZtX2dkaG15XzRaSzRF'  b'MGQ5bFRaUVdmbWpnWEJSUVRqMkRuZ2RzIn0.eyJleHAiOjE2MDQxMzg5OTMsImlhdCI6MTYwNDEz'  b'ODkzMywiYXV0aF90aW1lIjoxNjA0MTM4NzQ2LCJqdGkiOiJjODg0ZmY3Mi02NzM4LTQ1NzEtOWJl'  b'MS0xMTc1NmNkYzlkMDYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmhvbWUubGFiL2F1dGgvcmVh'  b'bG1zL21hc3RlciIsImF1ZCI6Im5ldGJveCIsInN1YiI6IjVhNmVmNWQ3LWI2YzktNDk1Yi05NjM5'  b'LTY0NmI3NTRkNGYwMCIsInR5cCI6IklEIiwiYXpwIjoibmV0Ym94Iiwibm9uY2UiOiJUWFlVOEFY'  b'eldDS3pBRDJVSFBwVnhBZlNJcE50ZEFUVyIsInNlc3Npb25fc3RhdGUiOiI3MDg4YTUzMC0wMTIw'  b'LTQ2ZTYtODNmNy0yOTg4YzYyYWY4YjgiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNl'  b'LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJrZXljbG9hayJ9.aFGu1rXnTzDjX6JBmXJJsrsIftzGLIk'  b'ZxwktgXHCJ8SYD3qbMC0LnpZy_mvQcyCgl0pL4f9a_OrCsUWdn9CDWYrMYwn5drGCJ565uUMJZXw'  b'SiAjCU0BXmQA7Ggtpi03iJ5XYRpAjDJDSTj3Jpb7IFDohnI4R31nxnzGOoTtr1H6CQPrOUmiExfi'  b'PW9eyaNdeNhX1iO8iVffzBFplv69dywmSubmgc-_pgrCQl5CnzI2dotlW2iKZMPtUMhUfIrBTIri'  b'T-0_oPo2OAiu1x9I-bADnCg-UllfEYkD-82j87hq3iI_Pz3yH3VsOMVjm3O93CulXgJIfWVCi_g3'  b'nZR01Sg')

In return self._verify_jws(token, key)

header | {'alg': 'RS256',  'kid': 'ToolyFm_gdhmy_4ZK4E0d9lTZQWfmjgXBRQTj2Dngds',  'typ': 'JWT'}
-- | --
key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'

If I take the token and the key, all seem perfect: image

So what is happening??

strus38 commented 3 years ago

I could move forward by replacing the token key by the JWT endpoint ... but then fails with the other defect I opened.

pedromendes96 commented 3 years ago

@strus38 any extra information why HS256 doesn't work?

strus38 commented 3 years ago

I think the user info is not decoded cf the code.

Le ven. 20 nov. 2020 à 16:56, Pedro Mendes notifications@github.com a écrit :

@strus38 https://github.com/strus38 any extra information why HS256 doesn't work?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla/mozilla-django-oidc/issues/382#issuecomment-731250979, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABM6DUZMJWWQ5MRVUJPESCTSQ2GRTANCNFSM4TFDUPCA .

variable commented 3 years ago

I was having the same problem with HS256, then I changed to RS256 and define the OIDC_OP_JWKS_ENDPOINT then it worked

OIDC_RP_SIGN_ALGO = 'RS256'
OIDC_OP_JWKS_ENDPOINT = 'https://keycloak-dev/auth/realms/test/protocol/openid-connect/certs'
leuat commented 3 years ago

I'm having the same problem with HS256 (JWS token verification failed), but when changing to RS256 and define OIDC_OP_JWKS_ENDPOINT to ../certs, I get an json parser exception.. see https://github.com/mozilla/mozilla-django-oidc/issues/421

JulienFS commented 3 months ago

It might be a key format issue, see https://github.com/mozilla/mozilla-django-oidc/issues/505#issuecomment-2257988592 (I had a similar issue and now have a working setup with keycloak).