Angular-auth-oidc-client: Missing "use":"sig" from Identity Provider's webkey causing authorizedCallback Signature validation failure

@seleshmaster Looks like this is optional, which would mean this is a bug. Going through the specs now. Could you send me your well known endpoints response? Would like to reproduce so I can test and fix.

https://tools.ietf.org/html/rfc7517#section-4.2

https://tools.ietf.org/html/rfc7517#section-4.6

https://openid.net/specs/openid-connect-discovery-1_0-final.html

Greetings Damein

@damienbod

here is the response from the identity server:
{"access_token":"j9D7_qfMasWmmGbKYpNhTQ","token_type":"Bearer","expires_in":898,"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiOGI0NTU0ZC1hZj..."}
*id_token value is modified for readability.

and here is from the browser console

STS server: https://idp.int.identitysandbox.gov angular-auth-oidc-client.js:660
Silent Renew is active, check if token in storage is active angular-auth-oidc-client.js:660
Location http://localhost:8080/home?code=105cfe7a-647f-491a-b3d2-07139339a4f4&state=15564680733390.214034033558658240.6820717020613557
app.component.ts:51:4
code 105cfe7a-647f-491a-b3d2-07139339a4f4 app.component.ts:61:8
state 15564680733390.214034033558658240.6820717020613557 app.component.ts:62:8
session_state null app.component.ts:63:8
window.location.toString()  : http://localhost:8080/home?code=105cfe7a-647f-491a-b3d2-07139339a4f4&state=15564680733390.214034033558658240.6820717020613557 app.component.ts:66:8
<iframe id="myiFrameForSilentRenew">
angular-auth-oidc-client.js:660
BEGIN authorized Code Flow Callback, no auth data angular-auth-oidc-client.js:660
this.userData -- : app.component.ts:33:9
Object { access_token: "j9D7_qfMasWmmGbKYpNhTQ", token_type: "Bearer", expires_in: 898, id_token: "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiOGI0NTU0ZC1hZj...", session_state: null }
angular-auth-oidc-client.js:660
authorizedCallback created, begin token validation angular-auth-oidc-client.js:660
jwks_uri: https://idp.int.identitysandbox.gov/api/openid_connect/certs angular-auth-oidc-client.js:660
**no keys found, incorrect Signature, validation failed for id_token** angular-auth-oidc-client.js:647
authorizedCallback Signature validation failed id_token angular-auth-oidc-client.js:660
authorizedCallback, token(s) validation failed, resetting angular-auth-oidc-client.js:647
angular-auth-oidc-client.js:647
this.userData -- : app.component.ts:33:9
IsAuthorizedRace: Silent Renew Refresh Session Complete angular-auth-oidc-client.js:660
IsAuthorizedRace: Completed angular-auth-oidc-client.js:660
getIsAuthorized: false

on another note: the provider does not set the session_state and that seems fine.

let me know if you need more info. And thank you for your quick response

-s

@damienbod any estimate when this can be implemented?

Thanks

@seleshmaster I will try to do this at the weekend, busy at the day job at the moment. It would help, if you sent me your jwt json response. Is this possible? You can finf this in the well known endpoint response.

Greetings Damien

@damienbod ,

this is the repose I am getting. {"access_token":"j9D7_qfMasWmmGbKYpNhTQ","token_type":"Bearer","expires_in":898,"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJiOGI0NTU0ZC1hZj..."}

after that cert validation fails. I pasted console above.

and if you asking the format how ID provider stores the key,

{
"keys": [{
"kty": "RSA",
"kid": "XXX",
"n": "XXX",
"e": "XXX"
}]
}

Thanks

I going through the specs now. The use sig is required to validate the token.

https://tools.ietf.org/html/rfc7517#page-6

http://self-issued.info/docs/draft-ietf-jose-json-web-encryption.html

Why does your server not provide a way the validate the token?

I don't think this should be missing. Starting to think this should not be missing, as not validating the token is a security problem.

Greetings Damien

@damienbod

actually the issuer signs the idtoken. and according to OpenId version 1.0, the "use" field is optional.
https://openid.net/specs/openid-connect-discovery-1_0-final.html

jwks_uri
REQUIRED. URL of the OP's JSON Web Key Set [JWK] document. This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure. The JWK x5c parameter MAY be used to provide X.509 representations of keys provided. When used, the bare key values MUST still be present and MUST match those in the certificate.

Thanks

@damienbod so when do you think this can be fixed?

by the way, thank you for such a great work!

-s

I'm looking into this now, trying to figure out a way of selecting the right cert, key when this is missing

@damienbod am I right in assuming that your library requires the presence of kid even though this is an optional parameter?

If kid is not present in the token header then you should assume that there is only one possible key and use the first key in the list, right?