Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14534

The request parameter should accept any signing algorithms supported by the OP

    Details

    • Sprint:
      AM Sustaining Sprint 66, AM Sustaining Sprint 67
    • Story Points:
      3
    • Support Ticket IDs:
    • Needs QA verification:
      No
    • Functional tests:
      Yes
    • Are the reproduction steps defined?:
      Yes and I used the same an in the description

      Description

      Bug description

      The spec says:

      request_object_signing_alg
      OPTIONAL. JWS [JWS] alg algorithm [JWA] that MUST be used for signing Request Objects sent to the OP. All Request Objects from this Client MUST be rejected, if not signed with this algorithm. Request Objects are described in Section 6.1 of OpenID Connect Core 1.0 [OpenID.Core]. This algorithm MUST be used both when the Request Object is passed by value (using the request parameter) and when it is passed by reference (using the request_uri parameter). Servers SHOULD support RS256. The value none MAY be used. The default, if omitted, is that any algorithm supported by the OP and the RP MAY be used.

      https://openid.net/specs/openid-connect-registration-1_0.html

      This means that if during the dynamic registration, you haven't specify the request_object_signing_alg, then the OIDC client is allowed to use any algorithm supported by AM.

      Details steps outlining how to recreate the issue (remove this text)

      1. step 1
        Create an OIDC client without request_object_signing_alg specified (via dynamic reg or via the UI)
      2. step 2
        Start an authorisation code grant flow with a request parameter signed with a supported algorithm, like RS256
      Expected behaviour

      The request should be accepted

      Current behaviour

      AM is returning:

      Unable to validate the request parameter signing algorithm

      Work around

      None

      Code analysis

      We already kind of checking the algorithm, but not as per spec.

      I attached a patch that works for me for Open Banking Ref Impl

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                lawrence.yarham Lawrence Yarham
                Reporter:
                quentin.castel Quentin CASTEL [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                10 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: