[Bug]: OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG and OIDC_USERINFO_SIGNED_RESPONSE_ALG not recognized

plankanban / planka

The realtime kanban board for workgroups built with React and Redux.

https://planka.app

GNU Affero General Public License v3.0

7.73k stars 718 forks source link

[Bug]: OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG and OIDC_USERINFO_SIGNED_RESPONSE_ALG not recognized #871

Open kasrabeheshti opened 1 week ago

kasrabeheshti commented 1 week ago

Where is the problem occurring?

I encountered the problem while interacting with the server (Backend)

What browsers are you seeing the problem on?

No response

Current behaviour

I am using an OIDC provider (Roblox) that uses the ES256 JWT algorithm. In my docker compose file I have the following set:

 - OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG=ES256
 - OIDC_USERINFO_SIGNED_RESPONSE_ALG=ES256
 - OIDC_SCOPES=openid email profile

However, SSO operations are failing and in docker I am getting this error: [W] Error while exchanging OIDC code: RPError: unexpected JWT alg received, expected RS256, got: ES256 This is the same error I got before and after I set these env variables. Am I setting them incorrectly?

Desired behaviour

No response

Steps to reproduce

Use an OIDC provider that uses ES256 (or perhaps another, like HS256) JWT algo?

Other information

No response

meltyshev commented 5 days ago

Hi! Thanks for reporting this. I just tried configuring ES256 for id_token and userinfo in Keycloak and it worked fine. However, I don’t have enough expertise to identify the issue, so I’ll add a "help wanted" label and hopefully someone else can help.

kasrabeheshti commented 4 days ago

Hi! Thanks for reporting this. I just tried configuring ES256 for id_token and userinfo in Keycloak and it worked fine. However, I don’t have enough expertise to identify the issue, so I’ll add a "help wanted" label and hopefully someone else can help.

Thanks! May I ask how you've deployed Planka? I am running in docker and want to try your setup to see if it resolves the issue

meltyshev commented 4 days ago

Thanks! May I ask how you've deployed Planka? I am running in docker and want to try your setup to see if it resolves the issue

Sure! We also use Docker to run Planka, and we’ve documented all the settings we use in the docs. However, we don’t have an OIDC provider, so we run it separately only when we need to troubleshoot or test issues related to it.

I tried setting the algorithm to a different value than the one configured in the OIDC provider and encountered the same error you did. However, my "expected" value matches exactly what I set in the environment variable, while yours displays a different value, which is odd. Probably there’s another openid client setting we’re missing, or the variables haven’t been set/updated correctly inside the container (you can check it by connecting to the container and executing echo $OIDC_ID_TOKEN_SIGNED_RESPONSE_ALG).