node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard

Published 20 hours ago verified publisher icon nodeSolidServer

Shall NSS use ES256 algorithm as default in replacement of RS256

Open bourgeoa opened this issue 3 years ago • 4 comments
trafficstars

@mrkvon

Actually logging in with NSS account use the RS256 algorithm.

https://solidcommunity.net/.well-known/openid-configuration

{"issuer":"https://solidcommunity.net","jwks_uri":"https://solidcommunity.net/jwks","scopes_supported":["openid","offline_access"],"response_types_supported":["code","code token","code id_token","id_token code","id_token","id_token token","code id_token token","none"],"token_types_supported":["legacyPop","dpop"],"response_modes_supported":["query","fragment"],"grant_types_supported":["authorization_code","implicit","refresh_token","client_credentials"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":"client_secret_basic","token_endpoint_auth_signing_alg_values_supported":["RS256"],"display_values_supported":[],"claim_types_supported":["normal"],"claims_supported":[],"claims_parameter_supported":false,"request_parameter_supported":true,"request_uri_parameter_supported":false,"require_request_uri_registration":false,"check_session_iframe":"https://solidcommunity.net/session","end_session_endpoint":"https://solidcommunity.net/logout","authorization_endpoint":"https://solidcommunity.net/authorize","token_endpoint":"https://solidcommunity.net/token","userinfo_endpoint":"https://solidcommunity.net/userinfo","registration_endpoint":"https://solidcommunity.net/register"}

With #1698 being resolved we can also login with CSS ans ESS account that are using ES256

  • is there a missing information in openId-configuration ? This is not displayed above
  • Are there any reason to move NSS to use ES256 in replacement of RS256 ?
{"authorization_endpoint":"https://solidweb.me/.oidc/auth","claims_parameter_supported":true,"claims_supported":["azp","sub","webid","sid","auth_time","iss"],"code_challenge_methods_supported":["S256"],"end_session_endpoint":"https://solidweb.me/.oidc/session/end","grant_types_supported":["implicit","authorization_code","refresh_token","client_credentials"],"id_token_signing_alg_values_supported":["ES256"],"issuer":"https://solidweb.me/","jwks_uri":"https://solidweb.me/.oidc/jwks","registration_endpoint":"https://solidweb.me/.oidc/reg","response_modes_supported":["form_post","fragment","query"],"response_types_supported":["code id_token","code","id_token","none"],"scopes_supported":["openid","profile","offline_access","webid"],"subject_types_supported":["public"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt","none"],"token_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"token_endpoint":"https://solidweb.me/.oidc/token","request_object_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"request_parameter_supported":false,"request_uri_parameter_supported":true,"require_request_uri_registration":true,"introspection_endpoint":"https://solidweb.me/.oidc/token/introspection","introspection_endpoint_auth_methods_supported":["client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt","none"],"introspection_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"dpop_signing_alg_values_supported":["RS256","PS256","ES256","EdDSA"],"revocation_endpoint":"https://solidweb.me/.oidc/token/revocation","revocation_endpoint_auth_methods_supported":["client_secret_basic","client_secret_jwt","client_secret_post","private_key_jwt","none"],"revocation_endpoint_auth_signing_alg_values_supported":["HS256","RS256","PS256","ES256","EdDSA"],"claim_types_supported":["normal"]}

bourgeoa avatar Sep 05 '22 10:09 bourgeoa

Are there any reason to move NSS to use ES256 in replacement of RS256

The openid spec requires that all IdPs support /at least/ RS256 (for a baseline). So, my recommendation is - NSS should support both algorithms. (don’t forget to update NSS’s openid-configuration endpoint and add es256 to the list of supported algs)

dmitrizagidulin avatar Sep 05 '22 15:09 dmitrizagidulin

Thanks for your comment. Can anyone help to discuss and make the needed changes ? @mrkvon ?

bourgeoa avatar Sep 05 '22 16:09 bourgeoa

@bourgeoa

It's the first time i'm looking at the OpenId configuration. https://ldapwiki.com/wiki/Openid-configuration gives some hints, but i don't know what is the difference among each of the parameters ending with _alg_values_supported.

Perhaps all of them could have "ES256" added? That's just a wild guess though.

However, i haven't found a place to add it to config in this repository. 🤷🏾‍♀️

mrkvon avatar Sep 05 '22 17:09 mrkvon

OK, so there's two more places that will need code added, to support ES256 on NSS.

  • https://github.com/nodeSolidServer/oidc-op/blob/baffba8a184538e47f01766359caeac17dfb0e91/src/Provider.js#L160 - This is the generateKeychain method, that generates the server's public keys (on startup, if none have been generated before. Which means, they have to be cleared, and re-generated).
  • https://github.com/nodeSolidServer/oidc-op/blob/baffba8a184538e47f01766359caeac17dfb0e91/src/Provider.js#L73 - you only really need to change id_token_signing_alg_values_supported, not any of the other alg config values. Just like the previous item, the OIDC config file should be cleared (it will be re-generated on startup).

dmitrizagidulin avatar Sep 05 '22 21:09 dmitrizagidulin