search

openid-certification / oidctest

THE CERTIFICATION TEST SUITE HAS BEEN MIGRATED TO A NEW SERVICE https://www.certificatinon.openid.net
Other
49 stars 15 forks source link

add an OP and RP test to detect JWT algorithm confusion #139

Open zandbelt opened 5 years ago

zandbelt commented 5 years ago

As @jpf suggested we should add an OP and RP test that detects algorithm confusion as described in: https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html

For RP testing: a negative test for rp-response_type-code where a regular RS256 id_token is generated by the test suite and expected by the RP, we should produce a HS256 JWT that is signed with the PEM formatted representation of the public key and see that the RP rejects that ID token.

For OP testing: a negative test for OP-request-Sig the test suite should generate a request object that is signed with HS256 using the PEM formatted representation of the RSA public key as the symmetric key value and see that the OP rejects that request object.

selfissued commented 5 years ago

This sounds like a worthwhile enhancement.