Open strus38 opened 3 years ago
I also tries with RS256 algorithm, it is failing with: 'bytes' object has no attribute 'verifier'
However all seem correct:
In payload_data = self.get_payload_data(token, key)
key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'
-- | --
kwargs | {'nonce': 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'}
nonce | 'TXYU8AXzWCKzAD2UHPpVxAfSIpNtdATW'
self | <mozilla_django_oidc.auth.OIDCAuthenticationBackend object at 0x7f96fc56e2d0>
token | (b'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJUb29seUZtX2dkaG15XzRaSzRF' b'MGQ5bFRaUVdmbWpnWEJSUVRqMkRuZ2RzIn0.eyJleHAiOjE2MDQxMzg5OTMsImlhdCI6MTYwNDEz' b'ODkzMywiYXV0aF90aW1lIjoxNjA0MTM4NzQ2LCJqdGkiOiJjODg0ZmY3Mi02NzM4LTQ1NzEtOWJl' b'MS0xMTc1NmNkYzlkMDYiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLmhvbWUubGFiL2F1dGgvcmVh' b'bG1zL21hc3RlciIsImF1ZCI6Im5ldGJveCIsInN1YiI6IjVhNmVmNWQ3LWI2YzktNDk1Yi05NjM5' b'LTY0NmI3NTRkNGYwMCIsInR5cCI6IklEIiwiYXpwIjoibmV0Ym94Iiwibm9uY2UiOiJUWFlVOEFY' b'eldDS3pBRDJVSFBwVnhBZlNJcE50ZEFUVyIsInNlc3Npb25fc3RhdGUiOiI3MDg4YTUzMC0wMTIw' b'LTQ2ZTYtODNmNy0yOTg4YzYyYWY4YjgiLCJhY3IiOiIwIiwiZW1haWxfdmVyaWZpZWQiOmZhbHNl' b'LCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJrZXljbG9hayJ9.aFGu1rXnTzDjX6JBmXJJsrsIftzGLIk' b'ZxwktgXHCJ8SYD3qbMC0LnpZy_mvQcyCgl0pL4f9a_OrCsUWdn9CDWYrMYwn5drGCJ565uUMJZXw' b'SiAjCU0BXmQA7Ggtpi03iJ5XYRpAjDJDSTj3Jpb7IFDohnI4R31nxnzGOoTtr1H6CQPrOUmiExfi' b'PW9eyaNdeNhX1iO8iVffzBFplv69dywmSubmgc-_pgrCQl5CnzI2dotlW2iKZMPtUMhUfIrBTIri' b'T-0_oPo2OAiu1x9I-bADnCg-UllfEYkD-82j87hq3iI_Pz3yH3VsOMVjm3O93CulXgJIfWVCi_g3' b'nZR01Sg')
In return self._verify_jws(token, key)
header | {'alg': 'RS256', 'kid': 'ToolyFm_gdhmy_4ZK4E0d9lTZQWfmjgXBRQTj2Dngds', 'typ': 'JWT'}
-- | --
key | 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkMajTF5JfM7+Bq3vuxo0b1uScGV2yuhcALhYng16GvkBpMi0HbiHbKlU6RVSLIDkJrSRg1zBhwkticiETKaxyRjhzyidumrhbHbKe6J//jlgD6W6x8GIeOOVclb1ioSPrcY/HF//6zq6V1hvL+MlSXS5FXau3ss2Pnh3QvOghwnYZsG7xGu9ZnfEoTuZMAbLMzsR7lnU4ZF74WxC9T9b5+gID5TddKY94j+lXpDEaUE3/jAy+cb1w0hfsYVXknxo/GCDcB2PmBkJbs9c7FiY2WbTL5Cgu5Deag9v6IJ1Yj5Nz6apv1+bGOqqTOnhGi62DcebKSUNTUCt8K+U5yYBaQIDAQAB\n'
If I take the token and the key, all seem perfect:
So what is happening??
I could move forward by replacing the token key by the JWT endpoint ... but then fails with the other defect I opened.
@strus38 any extra information why HS256 doesn't work?
I think the user info is not decoded cf the code.
Le ven. 20 nov. 2020 à 16:56, Pedro Mendes notifications@github.com a écrit :
@strus38 https://github.com/strus38 any extra information why HS256 doesn't work?
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mozilla/mozilla-django-oidc/issues/382#issuecomment-731250979, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABM6DUZMJWWQ5MRVUJPESCTSQ2GRTANCNFSM4TFDUPCA .
I was having the same problem with HS256, then I changed to RS256 and define the OIDC_OP_JWKS_ENDPOINT
then it worked
OIDC_RP_SIGN_ALGO = 'RS256'
OIDC_OP_JWKS_ENDPOINT = 'https://keycloak-dev/auth/realms/test/protocol/openid-connect/certs'
I'm having the same problem with HS256 (JWS token verification failed), but when changing to RS256 and define OIDC_OP_JWKS_ENDPOINT to ../certs, I get an json parser exception.. see https://github.com/mozilla/mozilla-django-oidc/issues/421
It might be a key format issue, see https://github.com/mozilla/mozilla-django-oidc/issues/505#issuecomment-2257988592 (I had a similar issue and now have a working setup with keycloak).
Hi
I am deploying Netbox on K8S and I am trying to add OIDC with keycloak to allow SSO on Netbox. So I have done the necessary changes - I guess - but failing on JWT issue even of HS256 is the only token provider on Keycloak! Error: JWS token verification failed.
By the way: OIDC_VERIFY_JWT does not seem to to do anything! Removing OIDC_OP_JWKS_ENDPOINT does not work either