lua-resty-openidc icon indicating copy to clipboard operation
lua-resty-openidc copied to clipboard

Published 20 hours ago verified publisher icon zmartzone

[QUESTION] When switching to PKCE flow there are error in openidc_load_jwt_and_verify_crypto() and openidc_load_and_validate_jwt_id_token() methods

Open madonar opened this issue 1 year ago • 1 comments

Environment
  • lua-resty-openidc version : 1.21.4.1
  • OpenID Connect provider : PhenixID
Expected behaviour

We are switching from "code" flow to the "pkce" flow for security reasons. When doing so we see errors and are unable to proceed with the implementation. Is there someone who can point out the mistake and help us in this switching?

When a user starts to reach a website the following happens(SSO), authorization endpoint -> success response Token endpoint -> success response jwks endpoint -> success response

After receiving the JWKS, the JWT verification should be successful without errors and the flow should proceed to be able to obtain a user token from the userinfo endpoint. How can I achieve this?

Actual behaviour

After receiving the response from jwks endpoint, the below errors are seen in logs, especially the line "RSA key with id 2LhxLYAqxej8ltPfuqPb1SLP-7g" is the same(including the same id(from cache or similar?)) for several different SSO attempts to log in to the website. Is the RSA key cached and reused everytime? How can we fix this?

[error] 1234953#1234953: *2 [lua] openidc.lua:1006: openidc_load_jwt_and_verify_crypto(): RSA key with id 2LhxLYAqxej8ltPfuqPb1SLP-7g not found, [error] 1234953#1234953: *2 [lua] openidc.lua:1066: openidc_load_and_validate_jwt_id_token(): id_token '' signature verification failed,

Minimized example

local opts = { redirect_uri = "/sso/ebx", discovery = "https://replacedforsecurityreasons-acceptance.se/oidc-basic-pkce-tenant/.well-known/openid-configuration", client_id = "replacedforsecurityreasons", client_secret = "replacedforsecurityreasons", ssl_verify = "no", timeout = 500, use_pkce = true, scope = "openid", use_nonce = false, accept_none_alg = true, keepalive = "yes", jwt_verification_cache_ignore = true } local res, err, tgt_url, session = require("resty.openidc").authenticate(opts)

madonar avatar Feb 12 '24 11:02 madonar

debug.log Attaching the logs(debug mode) with "replacedforsecurityreasons" text replacing IP, URL & large binary data.

madonar avatar Feb 12 '24 15:02 madonar