caddy-security icon indicating copy to clipboard operation
caddy-security copied to clipboard

Published 20 hours ago verified publisher icon greenpau

breakfix: id_token signed with unsupported algorithm

Open routerino opened this issue 2 years ago • 1 comments
trafficstars

Describe the issue

Attempting OIDC integration with Fusion Auth. Previously successful setting up with Keycloak. Getting the following error:

{"level":"warn","ts":1679792857.4263055,"logger":"security","msg":"Authentication failed","session_id":"k7BE2j8WU85wfLSuH8C85WbxrxNFjTDtqvt2FxPoAi2","request_id":"d6c479e7-1776-4540-904f-35ee764c69c4","error":"failed validating OAuth 2.0 access token: OAuth 2.0 failed to parse id_token: OAuth 2.0 id_token signed with unsupported algorithm: HS256"}

Configuration

{
	# do not attempt to install certs on the docker container
	skip_install_trust

	# security settings
	order authenticate before respond
	order authorize before basicauth

	security {
		oauth identity provider <mydomain> {
			delay_start 5
			driver generic
			realm <mydomain>
			client_id 3e6c5bd0-e0fa-431d-b588-c06c10062578
			client_secret <redacted>
			scopes openid email profile
			metadata_url https://login.<mydomain>/.well-known/openid-configuration/a17c408d-98d6-2805-711d-03f6fcd191cd
		}

		authentication portal defaultAuth {
			crypto default token lifetime 3600
			crypto key sign-verify <redacted>
			enable identity provider <mydomain>
			cookie domain *.<mydomain>.com.au
			ui {
				links {
					"dev.<mydomain>.com.au" https://dev.<mydomain>.com.au/?folder=/mnt/containers icon "las la-star"
					"dev-hs-ui.<mydomain>.com.au" https://dev-hs-ui.<mydomain>.com.au/ icon "las la-star"
					"My Identity" "/whoami" icon "las la-user"
				}
			}
			transform user {
				match origin <mydomain>
				action add role authp/user
			}
		}

		authorization policy defaultPolicy {
			set auth url https://sso.<mydomain>.com.au
			allow roles authp/user
			crypto key verify <redacted>
		}
	}
}

Version Information

Provide output of caddy list-modules -versions | grep git below:

dns.providers.cloudflare
http.authentication.providers.authorizer
http.handlers.authenticator
security

  Non-standard modules: 4

Expected behavior

Successful Login

routerino avatar Mar 26 '23 01:03 routerino

As a note it does appear (as the error code implies) that fusionauth defaults to HS256 for signing its tokens. By downgrading to RSA256 the problem is solved, but going to leave this open as a compatibility problem.

routerino avatar Mar 26 '23 03:03 routerino