pulsejet
Add option to restrict signature algorithms
This plugin will currently accept any of these signature algorithms, right?
https://github.com/pulsejet/nextcloud-oidc-login/blob/925d4680165be58fe460fa667981a7b7412f5ffa/3rdparty/jumbojett/openid-connect-php/src/OpenIDConnectClient.php#L962-L984
Would it be possible to add an option to restrict what it will accept? https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ seems like a good article about the risks of being too accepting in general about JWT signature algorithms. I think a bunch of that doesn't apply here because of OIDC, but I think there are some remaining security issues in the difference between symmetric and asymmetric algorithms. With symmetric, compromising the client secret from any of multiple servers running the same Nextcloud instance would allow an attacker to forge JWTs for the entire time that client secret is in use. With asymmetric, the OpenID Provider needs to be compromised to get that effect. Additionally, asymmetric keys are way easier to roll than symmetric. So I think it would be significantly more secure overall to have an option to disable symmetric JWT signature algorithms.
Basically, yes. https://opensource.google/documentation/reference/patching#forbidden is the relevant policy. It does say "In some cases, you may be able to contribute to these projects via IARC", but I'd rather not bother with IARC for a small one-time thing.
@dseomn TIL, thanks!
Btw, does this also apply to things you do outside your workplace? So basically if I join Google tomorrow then I can't work on my Nextcloud app anymore during vacation?
I'm not an employment/copyright lawyer, so I can't really comment on that aspect. But I have used IARC multiple times and it's gone smoothly each time, it's just a (relatively small) hassle. I don't see the full IARC policy anywhere public, but https://opensource.google/documentation/reference/releasing#iarc has a little bit more detail.