search

mozilla / mozilla-django-oidc

A django OpenID Connect library
https://mozilla-django-oidc.readthedocs.io
Mozilla Public License 2.0
449 stars 168 forks source link

SuspiciousOperation at /oidc/callback/: The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO #456

Closed rv2931 closed 2 years ago

rv2931 commented 2 years ago

Hello I have a bitnami/keycloak docker instance on my local dev machine and trying to authenticate a django mozilla-django-oidc client First problem I met was a

"ConnectionError at /oidc/callback/" Failed to establish a new connection: [Errno 111] Connection refused

I solved this error by replacing "localhost" by "host.docker.internal:8443" for OIDC_OP_AUTHORIZATION_ENDPOINT, OIDC_OP_TOKEN_ENDPOINT and OIDC_OP_USER_ENDPOINT. It is due to the use of docker platform here localhost is not the real localhost and then you have to use host.docker.internal

Then I met

SSLError at /oidc/callback/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

As my keycloak instance is not using a verified SSL cert, I add OIDC_VERIFY_SSL=False in my dev.py platform settings

Now I'm stucked with error

SuspiciousOperation at /oidc/callback/ The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO.

I have tried different values of OIDC_RP_IDP_SIGN_KEY setting that seems to be linked to OIDC_OP_JWKS_ENDPOINT but I didn't manage to solve this error It seems to be link to encryption but changing OIDC_RP_IDP_SIGN_KEY doesn't change anything until now

If you have an idea of the source of this problem and explain it a little it would be great. I surely have something to do somewhere, odic plugin ? keycloak ?

Thank you in advance for your support. As I'm a beginner with Django I don't really know which data to supply to help you Here you have the Traceback

Environment:

Request Method: GET Request URL: http://localhost:8000/oidc/callback/?state=6XEeOdgst8n6x7EUNqGwHGSvjmXEMQ2d&session_state=3d1077b2-9b45-4123-b344-64ed006ba02a&code=0971c565-f4cd-42a2-9a31-e41fba22c8ab.3d1077b2-9b45-4123-b344-64ed006ba02a.663462e2-940c-4fc2-84d0-aac963c73d7f

Django Version: 4.0.3 Python Version: 3.9.12 Installed Applications: ['django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'mozilla_django_oidc'] Installed Middleware: ['django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware']

Traceback (most recent call last): File "/usr/local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner response = get_response(request) File "/usr/local/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response response = wrapped_callback(request, *callback_args, callback_kwargs) File "/usr/local/lib/python3.9/site-packages/django/views/generic/base.py", line 84, in view return self.dispatch(request, *args, *kwargs) File "/usr/local/lib/python3.9/site-packages/django/views/generic/base.py", line 119, in dispatch return handler(request, args, kwargs) File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/views.py", line 101, in get self.user = auth.authenticate(*kwargs) File "/usr/local/lib/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper return func(func_args, func_kwargs) File "/usr/local/lib/python3.9/site-packages/django/contrib/auth/init.py", line 77, in authenticate user = backend.authenticate(request, credentials) File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 284, in authenticate payload = self.verify_token(id_token, nonce=nonce) File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 196, in verify_token payload_data = self.get_payload_data(token, key) File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 181, in get_payload_data return self._verify_jws(token, key) File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 127, in _verify_jws raise SuspiciousOperation(msg)

Exception Type: SuspiciousOperation at /oidc/callback/ Exception Value: The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO.

rv2931 commented 2 years ago

Hi I finally partially solved my problem. I was using OIDC_RP_IDP_SIGN_KEY="RS256" instead of OIDC_RP_SIGN_ALGO="RS256" And I had to fill the OIDC_RP_IDP_SIGN_KEY with Kid from Keycloak/RS256 key Si good configuration for keycloak seems to be

OIDC_RP_SIGN_ALGO="RS256"
OIDC_RP_IDP_SIGN_KEY='Key from realm settings>keys>RS256>Kid'

Now I'm facing to a AttributeError at /oidc/callback/ 'bytes' object has no attribute 'verify'

but as I already read about this error, I think it is a common error so I'll close this ticket and do another one if needed