Failed to decode `id_token_hint` when using different signer for `id_token` and others
hijiki51 opened this issue · 0 comments
hijiki51 commented
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
- In
OpenIDConnectRequestValidator.ValidatePrompt
, decodeid_token_hint
when passed. - This
Decode
function usingjwt.Signer
passed here.- this signer is a
compose.CommonStrategy.Signer
. - ref
- this signer is a
- But,
id_token
is singed by another singer passed here - Therefore, If we use different singer for
id_token
and other (likeaccess_token
), failed to decodeid_token_hint
,
I think OpenIDConnectRequestValidator
should use compose.CommonStrategy.OpenIDConnectTokenStrategy.Signer
instead of compose.CommonStrategy.Signer
.
Reproducing the bug
- Setup two different private key
- Configure
fosite.OAuth2Provider
using two different key
like this:
keyGetter1 := func(context.Context) (interface{}, error) {
return key1, nil
}
keyGetter2 := func(context.Context) (interface{}, error) {
return key2, nil
}
oauth2 := compose.Compose(
config,
storage,
&CommonStrategy{
CoreStrategy: NewOAuth2HMACStrategy(config),
OpenIDConnectTokenStrategy: NewOpenIDConnectStrategy(keyGetter1 , config),
Signer: &jwt.DefaultSigner{GetPrivateKey: keyGetter2},
},
OAuth2AuthorizeExplicitFactory,
OAuth2AuthorizeImplicitFactory,
OAuth2ClientCredentialsGrantFactory,
OAuth2RefreshTokenGrantFactory,
OAuth2ResourceOwnerPasswordCredentialsFactory,
RFC7523AssertionGrantFactory,
OpenIDConnectExplicitFactory,
OpenIDConnectImplicitFactory,
OpenIDConnectHybridFactory,
OpenIDConnectRefreshFactory,
OAuth2TokenIntrospectionFactory,
OAuth2TokenRevocationFactory,
OAuth2PKCEFactory,
PushedAuthorizeHandlerFactory,
)
- Access authorization endpoint with
id_token_hint
parameter
Relevant log output
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: invalid_request
github.com/ory/x/errorsx.WithStack
github.com/ory/x@v0.0.589/errorsx/errors.go:41
github.com/ory/fosite/handler/openid.(*OpenIDConnectRequestValidator).ValidatePrompt
github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/validator.go:141
github.com/ory/fosite/handler/openid.(*OpenIDConnectExplicitHandler).HandleAuthorizeEndpointRequest
github.com/ory/fosite@v0.44.1-0.20230807143048-1df109bb45fa/handler/openid/flow_explicit_auth.go:50
github.com/ory/fosite.(*Fosite).NewAuthorizeResponse
2023/09/22 13:50:55 Error occurred in NewAuthorizeResponse: go-jose/go-jose: error in cryptographic primitive
Relevant configuration
No response
Version
github.com/ory/fosite v0.44.1-0.20230807143048-1df109bb45fa
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker Compose
Additional Context
No response