search

panva / openid-client

OAuth 2 / OpenID Connect Client API for JavaScript Runtimes
MIT License
1.83k stars 392 forks source link

Yahoo got issue for using "ES256" rather than "RS256" for token validatiion. #249

Closed verybox0 closed 4 years ago

verybox0 commented 4 years ago

in Yahoo discovery url => https://api.login.yahoo.com/.well-known/openid-configuration it shows it support both "ES256" and "RS256", also, node-openid-client by default will use RS256, however, when yahoo returns, it complaints: unexpected JWT alg received, expected RS256, got: ES256

I also changed => id_token_signed_response_alg: "ES256" in Client object, however, when yahoo returns, I got: RPError: no valid key found in issuer's jwks_uri for key parameters {"kid":"3466d51f7dd0c780565688c183921816c45889ad","alg":"ES256"}

Only Yahoo got the issue, I tried Google and Microsoft, they both fine.

panva commented 4 years ago

Setting an expected id token signing alg is expected. No issue there.

But Yahoo's EC JWK in https://api.login.yahoo.com/openid/v1/certs is invalid, that's why the client can't use it. The client ignores the "import key" error as it should, that's why the error says no valid key found in issuer's jwks_uri for key parameters.

panva commented 4 years ago

Notice the EC JWK y property, notice the different length here compared to x, something's up with how they encode the coordinates. Not a client issue.

const j=require('jose')

> j.JWK.asKey({
... "kty": "EC",
... "alg": "ES256",
... "use": "sig",
... "crv": "P-256",
... "kid": "3466d51f7dd0c780565688c183921816c45889ad",
... "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I",
... "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y" // notice the different length here, somethings up with how they encode the coordinates
... })

> Thrown:
> Error: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding
>     at createPublicKey (internal/crypto/keys.js:321:10)
>     at Object.asKey (/Users/panva/repo/ultimate-jose/lib/jwk/import.js:77:19) {
>   opensslErrorStack: [
>     'error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error',
>     'error:100D708E:elliptic curve routines:eckey_pub_decode:decode error',
>     'error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib'
>   ],
>   library: 'elliptic curve routines',
>   function: 'ec_GFp_simple_oct2point',
>   reason: 'invalid encoding',
>   code: 'ERR_OSSL_EC_INVALID_ENCODING'
> }
verybox0 commented 4 years ago

Thanks for the explanation, very clear and helpful.

I really like this extension.

Cheers

Bin

Filip Skokan notifications@github.com 于2020年4月12日周日 上午12:15写道:

const j=require('jose')

j.JWK.asKey({ ... "kty": "EC", ... "alg": "ES256", ... "use": "sig", ... "crv": "P-256", ... "kid": "3466d51f7dd0c780565688c183921816c45889ad", ... "x": "cWZxqH95zGdr8P4XvPd_jgoP5XROlipzYxfC_vWC61I", ... "y": "AK8V_Tgg_ayGoXiseiwLOClkekc9fi49aYUQpnY1Ay_y" ... })

Thrown: Error: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding at createPublicKey (internal/crypto/keys.js:321:10) at Object.asKey (/Users/panva/repo/ultimate-jose/lib/jwk/import.js:77:19) { opensslErrorStack: [ 'error:0B09407D:x509 certificate routines:x509_pubkey_decode:public key decode error', 'error:100D708E:elliptic curve routines:eckey_pub_decode:decode error', 'error:10098010:elliptic curve routines:o2i_ECPublicKey:EC lib' ], library: 'elliptic curve routines', function: 'ec_GFp_simple_oct2point', reason: 'invalid encoding', code: 'ERR_OSSL_EC_INVALID_ENCODING' }

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/panva/node-openid-client/issues/249#issuecomment-612407379, or unsubscribe https://github.com/notifications/unsubscribe-auth/ACVTWRDJM4DAO2HMNJ4FGKLRMBNOHANCNFSM4MF5LC4Q .

panva commented 4 years ago

https://developer.yahoo.com/blogs/622587085959938048/