search

project-rhex / openid_connect_gateway

Simple proxy service that acts as an OpenID Relying Party for authenticating users before proxying requests
0 stars 3 forks source link

crash after obtaining access token from nov/openid_connect_sample #2

Open caboteria opened 12 years ago

caboteria commented 12 years ago

I'm playing with the gateway and pointed it at nov/openid_connect_sample. The authorization request seems to work, and then the gateway POSTS to the OP for the access token. The OP responds and the gateway crashes on the response.

NoMethodError at /auth/openid_connect/callback undefined method `verify' for #String:0xa427de0 Ruby /home/tobyc/.rvm/gems/ruby-1.9.2-p180/gems/json-jwt-0.3.3/lib/json/jws.rb: in valid?, line 76

    def valid?(signature_base_string, public_key_or_secret)
    case
    when hmac?
    secret = public_key_or_secret
    sign(signature_base_string, secret) == signature
    when rsa?
    public_key = public_key_or_secret
76  public_key.verify digest, signature, signature_base_string
    when ecdsa?
    public_key = public_key_or_secret
    verify_ecdsa_group! public_key
    public_key.dsa_verify_asn1 digest.digest(signature_base_string), signature
    else
    raise InvalidFormat.new('Unknown Signature Algorithm')
    end

The contents of the response to the access token request are:

{"access_token":"73e9279688f31eebaf824ca2e8b6cc3dbc814d7a79dd785a68ed5f4eef8a0543","token_type":"bearer","expires_in":86399,"id_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dSI6Imh0dHA6Ly9vcC5kZXYvY2VydC5wZW0iLCJqa3UiOiJodHRwOi8vb3AuZGV2L2p3ay5qc29uIn0.eyJpc3MiOiJodHRwOi8vb3AuZGV2IiwidXNlcl9pZCI6ImI0OGNjMzM1MTAzYjQzOWMiLCJhdWQiOiJjZTc1ZDZmMjdkZDk3ODFkNjA3ZDExYmUzNTA5ZGQ0YiIsImV4cCI6MTM1MjU4MzIwOSwiaWF0IjoxMzUyNTYxNjA5LCJub25jZSI6IjU5ODU1NWNmNmEwNjJkMjRiYzM2OTdhZGQ2NzEwNWIwIn0.DNS7Bo7YrZjdlI7BlQQ_siOjqlhq8K0ma5vg6gYfZqR1rJP79zqO7t00CC3xD-SlNY69n6nD_KZIpfg1dZ0O4LHC83GJB7PL7rA_lV1aocVdoC6ijqDIjwVkLkVyix-vzEK20-1ELRJGmnGa2scK_Yt36XNrGVAsfZpuCvswuEuSlLb256Xgg_DRE9DwxHaa1LCQBxDu1tTet_8v5zoKpteAfYvKiRrZE9_XbksLp9zWmG4-9ly7tcouQOjLHzrsyaOMHahO7eiCnv1B2aMcEsdPcuPXHm3HsA2tY-dVPlYGh25tmo0xM6JRyCj186TmXI5QrxVA8PRzmPOCq2FxwQ"}
caboteria commented 12 years ago

The problem seems to be in omniauth_openid_connect-b12d89d5744b/lib/omniauth/strategies/openid_connect.rb.

      def check_id!(id_token)

        raise ::OpenIDConnect::Exception.new('No ID Token was given.') if id_token.blank?
        ::OpenIDConnect::ResponseObject::IdToken.decode(
          id_token, (get_idp_signing_key() || options[:client_secret])
        )
      end

get_idp_signing_key seems to return some sort of key object, but options[:client_secret] is a string, which causes the crash. It looks as if get_idp_signing_key() will return nil if the config file doesn't have either a x509_url or jwk_url parameter, which it doesn't by default.

caboteria commented 12 years ago

It looks as if you can avoid this crash by adding an additional_properties property of either x509_url or jwk_url. x509 takes precedence if you have both.

For nov/openid_connect_sample these url's are /cert.pem and /jwk.json.