express-openid-connect icon indicating copy to clipboard operation
express-openid-connect copied to clipboard

Published 20 hours ago verified publisher icon auth0

at_hash mismatch – improperly calculated?

Open a-mroz opened this issue 3 years ago • 1 comments

Describe the problem

I'm trying to use the library for OIDC with Keyrock. Unfortunately, I have an issue with at_hash value – it seems to be improperly calculated on the library side.

For example, for an access token 4deb034d3e8433040a974b73e8d2d581779f08c8 I receive an error: RPError: at_hash mismatch, expected lTZwBokilh4aD6eMYP6kjw, got: lTZwBokilh4aD6eMYP6kjw==.

What was the expected behavior?

I believe that the value returned from Keyrock is valid. For example:

>>> import base64
>>> import hashlib
>>> token_to_hash = "4deb034d3e8433040a974b73e8d2d581779f08c8"
>>> hash = hashlib.sha256()
>>> hash.update(token_to_hash.encode('utf-8'))
>>> digest = hash.digest()
>>> digest_truncated = digest[:int((len(digest)/2))]
>>> base64.b64encode(digest_truncated)
b'lTZwBokilh4aD6eMYP6kjw=='
>>> str(base64.b64encode(digest_truncated))
"b'lTZwBokilh4aD6eMYP6kjw=='"

Reproduction

  • Start Keyrock using docker compose with OIDC enabled and RS256 algorithm set for OIDC (as I didn't find a way to verify tokens using HS256 ). The options for docker-compose are IDM_OIDC_JWT_ALGORITHM=RS256 and OIDC_ENABLED=true.
  • Configure an application inside Keyrock.
  • Configure the middleware in an express app:
app.use(
  auth({
    issuerBaseURL: process.env.ISSUER_BASE_URL,
    baseURL: process.env.BASE_URL,
    clientID: process.env.CLIENT_ID,
    secret: process.env.SECRET,
    clientSecret: process.env.CLIENT_SECRET,
    clientAssertionSigningAlg: 'RS256', //default HS256 doesn't seem to be supported
    idpLogout: true,
    idTokenSigningAlg: 'RS256', 
    authorizationParams: {
      response_type: 'code',
    },
  })
)
  • Try to authenticate and observe the mismatch error in logs.

Environment

  • Version of this library used: ^2.8.0
  • Which framework are you using, if applicable:
  • Other modules/plugins/libraries that might be involved: Keyrock with OIDC enabled and RS256 algorithm set for OIDC.
  • Any other relevant information you think would be useful:

a-mroz avatar Aug 08 '22 16:08 a-mroz

I verified the situation with the plain openid-client library and the problem persists. Hence, it seems to be an issue with the Keyrock implementation, after all. I'm not sure why the python code I provided is incorrect, though.

a-mroz avatar Aug 09 '22 05:08 a-mroz

Hi @a-mroz - thanks for raising this

Have a look at https://github.com/panva/node-openid-client/issues/90#issuecomment-383291652

Looks like Keyrock is using base64 to represent the hash instead of base64url, you'll need to raise an issue with them to fix

adamjmcgrath avatar Aug 22 '22 08:08 adamjmcgrath