Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Signature verification failed, but clients should not try to inspect access tokens #688

Open
jakub-bochenski opened this issue Oct 1, 2024 · 2 comments
Labels

Comments

@jakub-bochenski
Copy link

jakub-bochenski commented Oct 1, 2024

Version

4.5.8

Context

I'm trying to authenticate against Graph API using client credentials flow.

        OpenIDConnectAuth
            .discover(
                vertx,
                OAuth2Options()
                    .setSite("https://login.microsoftonline.com/${b2cOption.tenant()}/v2.0/.well-known/openid-configuration")
                    .setClientId(b2cOption.clientId())
                    .setClientSecret(b2cOption.clientSecret())
                    .setValidateIssuer(false)
                    .setFlow(OAuth2FlowType.CLIENT)
            )
            .coAwait()
            .run {
                this.authenticate(JsonObject().put("scopes", JsonArray(listOf("https://graph.microsoft.com/.default"))))
                    .coAwait()
                    .run { log.info { "Authenticated with B2C: $this" } }

Unfortunately it fails on:

java.lang.RuntimeException: Signature verification failed
         at io.vertx.ext.auth.impl.jose.JWT.decode(JWT.java:312)
         at io.vertx.ext.auth.impl.jose.JWT.decode(JWT.java:177)
         at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.createUser(OAuth2AuthProviderImpl.java:579)
         at io.vertx.ext.auth.oauth2.impl.OAuth2AuthProviderImpl.lambda$authenticate$4(OAuth2AuthProviderImpl.java:457)

Clients should not try to inspect access tokens at all. MSFT is right in stating:

If you're a client getting a token for Graph, assume that it's an encrypted string that you should never look at

I think the offending code is this:

    // attempt to decode tokens if jwt keys are available
    if (!jwt.isUnsecure()) {
      if (json.containsKey("access_token")) {
        try {
          final JsonObject token = jwt.decode(json.getString("access_token"));
@jakub-bochenski
Copy link
Author

In fact requiring the access token to be a JWT already breaks the specification

Access tokens do not have to be of any particular format, although there are different considerations for different options which will be discussed later in this chapter.

https://www.oauth.com/oauth2-servers/access-tokens/

@jakub-bochenski
Copy link
Author

This is the workaround I'm using for now

        val config = OAuth2Options()
            .setSite("https://login.microsoftonline.com/${b2cOption.tenant()}/v2.0/.well-known/openid-configuration")
            .setClientId(b2cOption.clientId())
            .setClientSecret(b2cOption.clientSecret())
            .setValidateIssuer(false)
        OpenIDConnectAuth
            .discover(
                vertx,
                config
            )
            .coAwait()
            .run { // https://github.com/eclipse-vertx/vertx-auth/issues/688
                close()
                config.setJwkPath(null);
                OAuth2Auth.create(vertx, config);
            }
            .run {
                this.authenticate(JsonObject().put("scopes", JsonArray(listOf("https://graph.microsoft.com/.default"))))
                    .coAwait()
                    .run { log.info { "Authenticated with B2C: $this" } }
           }            

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant