Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-10333

The OAuth2 client property "id_token_signed_response_alg" affects the jwt signature check

    Details

    • Sprint:
      AM Sustaining Sprint 33
    • Story Points:
      3
    • Support Ticket IDs:

      Description

      Part of the OpenID certification. Uses keys registered with jwks_uri value [Dynamic] (OP-Registration-jwks_uri)

      Description

      When you sign your JWT with the JWKs_uri (so with RS256) but that the "id_token_signed_response_alg" is set to HS256 in the OAuth2 client config, OpenAM will throw a 500 when checking the signature of this JWT.

      Cause

      OpenAM used the value of id_token_signed_response_alg to identify the algorithm to use for checking the signature. It should actually read the signature algorithm from the JWT header instead.

      How to reproduce

      • Set the "id_token_signed_response_alg" to HS256
      • When calling the access token endpoint, use the JWT for authenticating the client. It's the jwt Bearer as Authorization grant flow.

      Expected result

      An access token

      Actual result

      ErrorResponse: {
        "error": "server_error",
        "error_description": "Internal Server Error"
      }
      

      Workaround

      If you can, turn the value of "id_token_signed_response_alg" to RS256

      How to fix this

      The JWT that OpenAM received contains a kid, which identify the JWK that OpenAM should use. Therefore, OpenAM should deduce the signing algorithm used from the JWK, instead of reading the "id_token_signed_response_alg" value.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                quentin.castel Quentin CASTEL [X] (Inactive)
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: