Closed jimmym715 closed 1 year ago
Second this, getting alerted all the time.
Is there any workaround right now or a fork available?
We aren't using the optional encryption parts of the provider so we forked and simply removed the bits which used firebase/php-jwt and the library itself.
'encryptionAlgorithm' => 'RS256', // optional 'encryptionKeyPath' => '../key.pem' // optional 'encryptionKey' => 'contents_of_key_or_certificate' // optional
Cheers 🎉! ended up making a fork to make it compatible with KC20 as well!
Would you mind sharing a link to your fork?
Hi, SecurityAdvisories has been posted an update related to this issue a few days ago. It is not possible to install oauth2-keycloak because of firebase/jwt < 6 conflict. Could you please update it? Here's a link to the issue: https://github.com/Roave/SecurityAdvisories/issues/106
It seems fixing this is not just a matter of adding ^6.0
of firebase/php-jwt to the requirements in composer.json. Version 6.0.0 introduces a breaking change to mitigate the CVE by not allowing the second parameter to be a string; it needs to be a Key
object or an array of Key
s or strings, the latter also requiring a $kid to be provided.
The Key
object seems to have been introduced in version 5.5.0, so changing the call signature in https://github.com/stevenmaguire/oauth2-keycloak/blob/master/src/Provider/Keycloak.php#L101 will drop support for all firebase/php-jwt versions before 5.5.0
The following pull request https://github.com/stevenmaguire/oauth2-keycloak/pull/64 provides the expected upgrade.
JWT requirement changes from ~4.0|~5.0
to ~6.0
.
Edit: last version here https://github.com/stevenmaguire/oauth2-keycloak/issues/50#issuecomment-1463908564
If you need to use the https://github.com/stevenmaguire/oauth2-keycloak/pull/64 in composer without waiting for the pull request to be merged, you need to edit your composer.json
to reflect the following changes.
{
"require": {
"stevenmaguire/oauth2-keycloak": "dev-master"
},
"repositories": {
"oauth2-keycloak": {
"type": "vcs",
"url": "https://github.com/muffe/oauth2-keycloak"
}
}
}
If you don't want to edit manually your composer.json
file, you can run the following commands in your shell :
composer config repositories.oauth2-keycloak vcs https://github.com/muffe/oauth2-keycloak
composer require stevenmaguire/oauth2-keycloak:dev-master
:warning: This is not a recommanded way of doing things.
:dev-master
means that composer will look at the master
branch of the muffe/oauth2-keycloak
package.
It is recommanded by composer documentation that the hotfix is hosted on its own branch, eg. hotfix-for-jwt-6
, and thus called with composer require stevenmaguire/oauth2-keycloak:dev-hotfix-for-jwt-6
.
This requires @muffe to create a hotfix-for-jwt-6
branch to host its hotfix.
Just created hotfix-for-jwt-6 from the current master.
Thank you very much.
You can now use in your terminal the following commands :
composer config repositories.oauth2-keycloak vcs https://github.com/muffe/oauth2-keycloak
composer require stevenmaguire/oauth2-keycloak:dev-hotfix-for-jwt-6
Hello, I have an error on your version : Parse error: syntax error, unexpected ')' in .../vendor/stevenmaguire/oauth2-keycloak/src/Provider/Keycloak.php on line 103
The issue is that there is a trailing comma in the JWT::decode()
call at https://github.com/muffe/oauth2-keycloak/blob/hotfix-for-jwt-6/src/Provider/Keycloak.php#L102
The trailing comma was implemented starting PHP 7.3 https://wiki.php.net/rfc/trailing-comma-function-calls#implementation
@muffe https://packagist.org/packages/league/oauth2-client#2.0.0 requirements allows PHP >=5.6 : either remove the comma or add a php requirement to your https://github.com/muffe/oauth2-keycloak/blob/hotfix-for-jwt-6/composer.json
Fixing that as we speak, pushing the changes to the hotfix branch and the master
Released new version 4.0.0 with allow JWT version 6:*.
CVE-2021-46743 identifies the following issue:
"In Firebase PHP-JWT before 6.0.0, an algorithm-confusion issue (e.g., RS256 / HS256) exists via the kid (aka Key ID) header, when multiple types of keys are loaded in a key ring. This allows an attacker to forge tokens that validate under the incorrect key. NOTE: this provides a straightforward way to use the PHP-JWT library unsafely, but might not be considered a vulnerability in the library itself."
Breaking changes in v6.0.0 of firebase/php-jwt appear to be relevant to code in /src/Provider/Keycloak.php