HTTP request to issuer URL exposes system information

[paveldanichev]

I'm submitting a

• [X ] bug report
• [ ] feature request

Background info

When verifying an access token, the verifier contacts the issuer URL to get the public key. In the HTTP request it performs, the User-Agent header contains much information about the calling server. It looks like this:

user-agent: okta-jwt-verifier-java/0.5.1 spring/5.2.2.RELEASE spring-boot/2.2.2.RELEASE spring-security/5.2.1.RELEASE tomcat/9.0 java/1.8.0_372 Linux/4.15.0-212-generic

In systems where there is no validation of the issuer and/or its value is taken directly from the iss claim, sometimes by design in order to support custom Okta URLs, the current behavior allows an attacker to craft a token with attackers URL in the issuer field (iss claim), making the server call the attacker's URL exposing all these server details.

This issue can be considered as CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Expected behavior

User-Agent header should not contain such information. Perhaps only okta-jwt-verifier-java/<version> or something generic.

Library Version

Tested with 0.5.1 and 0.5.7