keycloak-nodejs-connect icon indicating copy to clipboard operation
keycloak-nodejs-connect copied to clipboard

Published 20 hours ago verified publisher icon keycloak

Validate token has key algorithm fixed to RSA-SHA256

Open FelipeEmerim opened this issue 3 years ago • 1 comments

Describe the bug

The grant manager class has the signature algorithm fixed at RSA-SHA256. You can see that here.

Keycloak allows us to change that algorithm. If I do that, the validate function will reject every token, even if it is valid, because it will attempt to use the wrong algorithm.

Version

keycloak: 15.0.2 keycloak-connect: 15.0.2

Expected behavior

Keycloak correctly validates tokens signed with different algorithms

Actual behavior

Keycloak rejects all tokens except those signed with RSA-SHA256

How to Reproduce?

Change access token signature algorithm to anything other than RS256, generate a token and attempt to validate using this lib.

Anything else?

A good fix would be to allow the algorithm to be configurable, and have RSA-SHA256 as the default value to avoid a breaking change.

FelipeEmerim avatar Nov 12 '21 18:11 FelipeEmerim

Merging this PR does the proposed fix and closes this issue.

FelipeEmerim avatar Nov 12 '21 18:11 FelipeEmerim