vertx-auth icon indicating copy to clipboard operation
vertx-auth copied to clipboard

Published 20 hours ago verified publisher icon eclipse-vertx

OAuth2 Auth provider incorrectly validating Access Tokens

Open chrispatmore opened this issue 1 year ago • 14 comments

Questions

Do not use this issue tracker to ask questions, instead use one of these channels. Questions will likely be closed without notice.

Version

Version: 4.3.8

Context

Whilst trying to set up an OIDC client with discovery against a keycloak instance, I discovered that the access token which is in JWT form was not being decoded and added to the session as I expected it would be. The non decoded format is present on the session.

Steps to reproduce

  1. Run a keycloak instance somewhere and create a realm and client and a user
  2. Set up the vertex OIDC client with discovery
  3. Have an endpoint that prints out the session
  4. Run the program and log in and inspect the session

Extra

The reason the decoded form is not stored is because of https://github.com/eclipse-vertx/vertx-auth/blob/f0215a105380d47ecdefa260e2ebe0aa321a5297/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.java#L542 Which calls validToken Which internally does https://github.com/eclipse-vertx/vertx-auth/blob/f0215a105380d47ecdefa260e2ebe0aa321a5297/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.java#L643

With the comment

// https://openid.net/specs/openid-connect-core-1_0.html#  $3.1.3.7.
// The Client MUST validate that the aud (audience) Claim contains its client_id value registered at the Issuer
// identified by the iss (issuer) Claim as an audience. The aud (audience) Claim MAY contain an array with more
// than one element. The ID Token MUST be rejected if the ID Token does not list the Client as a valid audience,
// or if it contains additional audiences not trusted by the Client.

This fails for the keycloak access token as the aud is not the client ID it is account

https://openid.net/specs/openid-connect-core-1_0.html# $3.1.3.7 refers to the section for ID Token Validation. In this case the token is not an ID token so should not be subject to the same validation logic. The validation logic for access tokens is stated in section 3.2.2.9

Therefore there are a couple of options / parts:

  1. switch https://github.com/eclipse-vertx/vertx-auth/blob/f0215a105380d47ecdefa260e2ebe0aa321a5297/vertx-auth-oauth2/src/main/java/io/vertx/ext/auth/oauth2/impl/OAuth2AuthProviderImpl.java#L643 to idToken && jwtOptions.getAudience() == null instead of || so that this validation is skipped for access tokens, fixing this bug
  2. Add in the rules from 3.2.2.9 for access tokens (possibly a new feature or extension)

chrispatmore avatar Jun 08 '23 12:06 chrispatmore