Failed to decode `id_token_hint` when using different signer for `id_token` and others

Question

Failed to decode `id_token_hint` when using different signer for `id_token` and others

hijiki51 opened this issue a year ago · 0 comments

hijiki51 commented a year ago

Preflight checklist

I could not find a solution in the existing issues, docs, nor discussions.
I agree to follow this project's Code of Conduct.
I have read and am following this repository's Contribution Guidelines.
I have joined the Ory Community Slack.
I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

In OpenIDConnectRequestValidator.ValidatePrompt, decode id_token_hint when passed.
This Decode function using jwt.Signer passed here.
- this signer is a compose.CommonStrategy.Signer.
- ref
But, id_token is singed by another singer passed here
Therefore, If we use different singer for id_token and other (like access_token), failed to decode id_token_hint,

I think OpenIDConnectRequestValidator should use compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer instead of compose.CommonStrategy.Signer.

Reproducing the bug

Setup two different private key
Configure fosite.OAuth2Provider using two different key
like this:

keyGetter1 := func(context.Context) (interface{}, error) {
	return key1, nil
}
keyGetter2 := func(context.Context) (interface{}, error) {
	return key2, nil
}
oauth2 := compose.Compose(
	config,
	storage,
	&CommonStrategy{
		CoreStrategy:               NewOAuth2HMACStrategy(config),
		OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter1 , config),
		Signer:                     &jwt.DefaultSigner{GetPrivateKey: keyGetter2},
	},
	OAuth2AuthorizeExplicitFactory,
	OAuth2AuthorizeImplicitFactory,
	OAuth2ClientCredentialsGrantFactory,
	OAuth2RefreshTokenGrantFactory,
	OAuth2ResourceOwnerPasswordCredentialsFactory,
	RFC7523AssertionGrantFactory,

	OpenIDConnectExplicitFactory,
	OpenIDConnectImplicitFactory,
	OpenIDConnectHybridFactory,
	OpenIDConnectRefreshFactory,

	OAuth2TokenIntrospectionFactory,
	OAuth2TokenRevocationFactory,

	OAuth2PKCEFactory,
	PushedAuthorizeHandlerFactory,
)

Access authorization endpoint with id_token_hint parameter

Relevant log output

2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: invalid_request
github.com/ory/x/errorsx.WithStack
        github.com/ory/x@v0.0.589/errorsx/errors.go:41
github.com/ory/fosite/handler/openid.(*OpenIDConnectRequestValidator).ValidatePrompt
        github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/validator.go:141
github.com/ory/fosite/handler/openid.(*OpenIDConnectExplicitHandler).HandleAuthorizeEndpointRequest
        github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/flow_explicit_auth.go:50
github.com/ory/fosite.(*Fosite).NewAuthorizeResponse
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: go-jose/go-jose: error in cryptographic primitive

Relevant configuration

No response

Version

github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response