Open hijiki51 opened 1 year ago
No response
OpenIDConnectRequestValidator.ValidatePrompt
id_token_hint
Decode
jwt.Signer
compose.CommonStrategy.Signer
id_token
access_token
I think OpenIDConnectRequestValidator should use compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer instead of compose.CommonStrategy.Signer.
OpenIDConnectRequestValidator
compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer
Setup two different private key
Configure fosite.OAuth2Provider using two different key like this:
fosite.OAuth2Provider
keyGetter1 := func(context.Context) (interface{}, error) { return key1, nil } keyGetter2 := func(context.Context) (interface{}, error) { return key2, nil } oauth2 := compose.Compose( config, storage, &CommonStrategy{ CoreStrategy: NewOAuth2HMACStrategy(config), OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter1 , config), Signer: &jwt.DefaultSigner{GetPrivateKey: keyGetter2}, }, OAuth2AuthorizeExplicitFactory, OAuth2AuthorizeImplicitFactory, OAuth2ClientCredentialsGrantFactory, OAuth2RefreshTokenGrantFactory, OAuth2ResourceOwnerPasswordCredentialsFactory, RFC7523AssertionGrantFactory, OpenIDConnectExplicitFactory, OpenIDConnectImplicitFactory, OpenIDConnectHybridFactory, OpenIDConnectRefreshFactory, OAuth2TokenIntrospectionFactory, OAuth2TokenRevocationFactory, OAuth2PKCEFactory, PushedAuthorizeHandlerFactory, )
Access authorization endpoint with id_token_hint parameter
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: invalid_request github.com/ory/x/errorsx.WithStack github.com/ory/x@v0.0.589/errorsx/errors.go:41 github.com/ory/fosite/handler/openid.(*OpenIDConnectRequestValidator).ValidatePrompt github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/validator.go:141 github.com/ory/fosite/handler/openid.(*OpenIDConnectExplicitHandler).HandleAuthorizeEndpointRequest github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/flow_explicit_auth.go:50 github.com/ory/fosite.(*Fosite).NewAuthorizeResponse 2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: go-jose/go-jose: error in cryptographic primitive
github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa
Linux
Docker Compose
Preflight checklist
Ory Network Project
No response
Describe the bug
OpenIDConnectRequestValidator.ValidatePrompt
, decodeid_token_hint
when passed.Decode
function usingjwt.Signer
passed here.compose.CommonStrategy.Signer
.id_token
is singed by another singer passed hereid_token
and other (likeaccess_token
), failed to decodeid_token_hint
,I think
OpenIDConnectRequestValidator
should usecompose.CommonStrategy.OpenIDConnectTokenStrategy.Signer
instead ofcompose.CommonStrategy.Signer
.Reproducing the bug
Setup two different private key
Configure
fosite.OAuth2Provider
using two different key like this:Access authorization endpoint with
id_token_hint
parameterRelevant log output
Relevant configuration
No response
Version
github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response