search

vaulttec / sonar-auth-oidc

OpenID Connect (OIDC) Plugin for SonarQube
Apache License 2.0
101 stars 35 forks source link

Invalid ID token #59

Closed burgessjp closed 1 year ago

burgessjp commented 2 years ago

SonarQube Version: 9.0.1

image

burgessjp commented 2 years ago

@tjuerge Need Help.

tjuerge commented 2 years ago

This screenshot is pretty useless - the wrapped root BadJOSEException is missing here.

You can manually validate the received ID token (value of JSON attribute id_token) with https://oauth.tools/ as described here.

And which OpenID Connect identity provider are you using?

tjuerge commented 2 years ago

And check if your identity provider has signed the ID token with the same algorithm (HMAC, RSA or ECDSA) as you selected in the plugin configuration ID token signature algorithm. If you're unsure then deactivate this feature.

tjuerge commented 2 years ago

Its seems your identity provider is signing with HMAC because the JWT of your ID token header eyJhbGciOiJIUzI1NiJ9 contains

{
  "alg": "HS256"
}

This is in accordance with the log message Validating ID Token with HS256 and.... Did you select HMAC for the plugin configuration ID token signature algorithm?

burgessjp commented 2 years ago

Its seems your identity provider is signing with HMAC because the JWT of your ID token header eyJhbGciOiJIUzI1NiJ9 contains

{
  "alg": "HS256"
}

This is in accordance with the log message Validating ID Token with HS256 and.... Did you select HMAC for the plugin configuration ID token signature algorithm?

Yes, The Configration is OK.

tjuerge commented 2 years ago

Ok, then only the full stacktrace (including the wrapped BadJOSEException) can give us a hint. Please post the full stacktrace - or the wrapped root exception of the IllegalStateException.

Btw. you can deactivate the plugin's ID token validation by resetting the ID token signature algorithm. Is this (default) mode working for you?

tjuerge commented 2 years ago

The wrapped BadJOSEException is thrown in Nimbus JOSE JWT's DefaultJWTProcessor. Here you can find all the different error messages and the corresponding JWT object validations. A detailed explanation of the inner workings of validating signed ID Tokens can be found here.

Which identity provider are you using?

burgessjp commented 2 years ago

@tjuerge

Thank you for your answer, this identity provider is our own company, I am looking for their assistance.

I will sync here when there is a result.