Public and Private Keys with Laravel Passport

[medina325]

In this section you describe how to generate the keys for later encryption of the ID Token. Can I simply use the ones generated by the laravel artisan passport:keys command? If so, where do I store them for the openid provider to pick it up? Right now they don't appear in the token being generated.

But if I add them , the signature becomes valid.

[medina325]

By the way, only the public key needs to be added in order for the signature to be verified.

I'm following the right steps, I verified the private key is being fetched correctly from /storage/oauth-private.key when the authorization server is created, but I don't know what's happening to the public key.

Would you please take a look into why the public key does not get attached to the id token? Thanks!

[andrewminion-luminfire]

@medina325 did you ever figure this out? I’m running into the same invalid signature.

I was using jwt.io to verify my JWT; it doesn’t allow me to specify a public and private key: just a secret. But whenever I added a secret, it would resign the JWT and change the signature.

The only way I was able to produce a verifiable signature was to change makeAuthorizationServer() in src/Laravel/PassportServiceProvider.php to use the oauth client secret rather than the private key file:

+ $validated = request()->validate([
+     'client_id' => ['required', 'string', 'max:36', 'uuid'],
+ ]);
+ $client = \Laravel\Passport\Client::find($validated['client_id']);
+
$responseType = new IdTokenResponse(
    app(config('openid.repositories.identity')),
    new ClaimExtractor(...$claimSets),
    Configuration::forSymmetricSigner(
        app(config('openid.signer')),
-        InMemory::file($cryptKey->getKeyPath()),
+        InMemory::plainText($client->secret),
    ),
);

It seems that the consumer expects the JWT to be signed by the (shared) client secret, not the private key file.

[andrewminion-luminfire]

@ronvanderheijden what do you think of adding a config option to specify whether the private key or the client secret should be used as the signing key?

[medina325]

@andrewminion-luminfire sorry for taking so long. I couldn't solve the problem, and due to the tight schedule I had to give up on OpenID Connect and tried other protocols and tools. I ended up using this implementation of the SAML SSO protocol, where my application acted as the "identity provider".

[aamiranwar001]

@ronvanderheijden what do you think of adding a config option to specify whether the private key or the client secret should be used as the signing key?

Please change the signer option value from the OpenID config file.

'signer' => \Lcobucci\JWT\Signer\Rsa\Sha256::class

[andrewminion-luminfire]

@aamiranwar001 I think you’re talking about the signing algorithm, correct? I’m talking about the contents of the key itself.

[aamiranwar001]

@ronvanderheijden Yes, I'm talking about the signing algorithm. \Lcobucci\JWT\Signer\Rsa\Sha256::class algorithm has options for public and private keys. Besides this, you're correct. We need a config option for client secret.

[ronvanderheijden]

I'm very sorry, but I'm currently too busy with some other stuff. I also haven't touched this project for some time now.

I have planned some work on this project in the future. You can always submit a pull-request, I will make time to review this.

But for me to add features or fix bugs will have to wait.

[jeremy379]

Hello

I made a fork to make this package Laravel compliant (and Laravel first): https://github.com/jeremy379/laravel-openid-connect

It has some change/breaking change with this one, and it's made to work only with Laravel.

But if it may help you our help you debugging, you're free to use it.