OpenID-Connect-PHP icon indicating copy to clipboard operation
OpenID-Connect-PHP copied to clipboard

Published 20 hours ago verified publisher icon jumbojett

jwks_uri shouldn't be a requirement for checking signatures

Open xushangning opened this issue 6 years ago • 6 comments
trafficstars

Since I receive no responses from my previous PR #150, here I describe the issues with jwks_uri in the code to see if anybody is interested.

So basically, JWT supports two signing algorithms for signatures: RS256/384/512 and HS256/384/512, among many others. As RS256 (RSA Signature with SHA-256) is asymmetric, every time you verify the signature, you have to fetch the server's public keys from the location pointed to by jwks_uri. That's why jwks_uri is considered necessary in #72.

But the situation is entirely different for HS256 (HMAC with SHA-256), a symmetric algorithm, so it doesn't have public/private key pairs. The signature can be checked when supplied with a secret. Most of the time, the secret is implemented as the client secret. In this case, the server doesn't need to supply a set of public keys through jwks_uri.

The code below will check for the existence of jwks_uri no matter which type of signatures is in use:

https://github.com/jumbojett/OpenID-Connect-PHP/blob/4a93a98993c27f9b0186193cce78b1cb90d63ab6/src/OpenIDConnectClient.php#L307-L311

Also, in verifyJWTsignature, jwks_uri is a hard requirement:

https://github.com/jumbojett/OpenID-Connect-PHP/blob/4a93a98993c27f9b0186193cce78b1cb90d63ab6/src/OpenIDConnectClient.php#L889-L893

I can write a PR like #150 again for master. Sorry for the mention @jumbojett :)

Reference: Signing Algorithms

xushangning avatar Oct 09 '19 13:10 xushangning

I'm having the same problem, any ideas how to fix this?

Hesesses avatar Jan 11 '21 10:01 Hesesses

This library is made to conform to OpenID connect standard, not just plain exchange/verification of jwt tokens. jwks_uri is REQUIRED in the OpenID Provider Metadata https://openid.net/specs/openid-connect-discovery-1_0.html.

So if your OpeinID provider does not have jwks_uri then it is misconfigured, or maybe you don`t need this library at all but just a JWT sign/verify library as https://github.com/firebase/php-jwt

telemmaite avatar Jan 11 '21 10:01 telemmaite

This library is made to conform to OpenID connect standard, not just plain exchange/verification of jwt tokens. jwks_uri is REQUIRED in the OpenID Provider Metadata https://openid.net/specs/openid-connect-discovery-1_0.html.

The two claims are both correct, but they don't lead to your conclusion, because the OIDC's official website states that Discovery itself is optional [1]. jwks_uri is only required for OIDC Discovery.

As always, my reading of the standard may be wrong, so feel free to raise objections.

xushangning avatar Jan 12 '21 02:01 xushangning

I'm having the same problem, any ideas how to fix this?

You can see how I modified an older version of this library in PR #150. I have a fork at xushangning/OpenID-Connect-PHP with the PR applied, but it was also an old version and not maintained.

xushangning avatar Jan 12 '21 02:01 xushangning

https://github.com/jumbojett/OpenID-Connect-PHP/pull/308 will solve this as a side quest

DeepDiver1975 avatar Jul 05 '22 06:07 DeepDiver1975

#308 almost solved this, but it still has a redundant check for jwks_uri presence in the verifySignatures method. The presence of that is checked when needed inside the verifyJWTSignature method so I think the check can just be deleted.

singpolyma avatar May 17 '23 15:05 singpolyma