Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16164

social authmodule fails if OIDC provider uses algorithm RS256 to sign Id Token

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 5.5.1
    • 5.5.3, 6.0.1, 7.0.0, 6.5.3
    • authentication
    • Oracle JDK 1.8.0_201-b09
      Apache Tomcat/8.0.48
      AM 5.5.1
    • Rank:
      1|i00s6n:
    • AM Sustaining Sprint 74, AM Sustaining Sprint 75
    • 3
    • No
    • No
    • Yes and I used the same an in the description
    • 0
    • Future
    • None

    Description

      Bug description

      AM Social Auth Module fails when OIDC provider exports keys with unsupported algorigthms at th JWKS_URI endpoint

      How to reproduce the issue

      1. Configure AM 6.5.0 as OIDC provider
      2. Create OAuth2 client and select RS256 as value for 'ID Token Signing Algorithm'
      3. Configure custom social auth module / chain in AM 5.5.1 (https://backstage.forgerock.com/docs/am/5.5/authentication-guide/#social-authn-wizard-custom) leveraging AM 6.5.0 as OIDC provider
      4. Select 'client_secret' as 'OpenID Connect validation configuration type' in social auth module
      5. Set client secret as value for 'OpenID Connect validation configuration value' in social auth module
      6. Add the custom OIDC chain as value for the 'Social Authentication Implementations' service
      7. Access AM 5.5.1 login uri and trigger social auth
      Expected behaviour
      Social auth should succeed
      
      Current behaviour
      Social auth module fails
      
      excerpt from AM 5.5.1 Authentication debug log
      javax.security.auth.login.LoginException: org.forgerock.json.jose.exceptions.JwsSigningException: Unsupported Signing Algorithm, SHA256withRSA
              at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.signWithHMAC(HmacSigningHandler.java:73)
              at org.forgerock.json.jose.jws.handlers.HmacSigningHandler.verify(HmacSigningHandler.java:96)
              at org.forgerock.json.jose.jws.SignedJwt.verify(SignedJwt.java:194)
              at org.forgerock.oauth.resolvers.SharedSecretOpenIdResolverImpl.verifySignature(SharedSecretOpenIdResolverImpl.java:68)
              at org.forgerock.oauth.resolvers.SharedSecretOpenIdResolverImpl.validateIdentity(SharedSecretOpenIdResolverImpl.java:58)
              at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet(OpenIDConnectClient.java:368)
              at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0(OpenIDConnectClient.java:270)
              at org.forgerock.util.promise.Promises$CompletedPromise.then(Promises.java:183)
              at org.forgerock.util.promise.Promises$CompletedPromise.then(Promises.java:148)
              at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.handlePostAuth(OpenIDConnectClient.java:221)
      

      Attachments

        Issue Links

          Activity

            People

              lawrence.yarham Lawrence Yarham
              bthalmayr Bernhard Thalmayr
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: