Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

io.jwt.decode_verify should not short-circuit #1901

Closed
tsandall opened this issue Nov 13, 2019 · 1 comment · Fixed by #1923
Closed

io.jwt.decode_verify should not short-circuit #1901

tsandall opened this issue Nov 13, 2019 · 1 comment · Fixed by #1923
Assignees
@patrick-east
Labels
bug

Comments

@tsandall
Copy link
Member

Expected Behavior

The io.jwt.decode_verify implementation should not error if none of the keys can be used to verify the signature. Instead it should simply indicate that the signature is not valid.

Actual Behavior

The io.jwt.decode_verify implementation short-circuits and halts evaluation if a key cannot be used to verify the signature on the token. If the JWKS contains multiple keys with different signing algorithms, e.g., ES256 and RS256, then the built-in will error out if tries to verify with an ES256 signed token with the RS256 key. This depends on the order of the keys in the JWKS (if it tries the ES256 key first in this case, all is good.)

Steps to Reproduce the Problem

  1. Create a JWKS containing two keys with different algorithms
  2. Sign a JWT with with the second key in the JWKS
  3. Call io.jwt.decode_verify on the token with the JWKS as the cert parameter
@tsandall tsandall added the bug label Nov 13, 2019
@patrick-east patrick-east self-assigned this Nov 13, 2019
@patrick-east
Copy link
Contributor

Example that can reproduce this: https://play.openpolicyagent.org/p/AiGN7Bhrar

The issue right now being that we don't use any of the keys contained in a jwks beyond the first one. We need to parse and try to use the others in the set.

In addition we should not raise an error for incompatible key types, it should just fail to verify if there are not any that work.

patrick-east added a commit to patrick-east/opa that referenced this issue Nov 26, 2019
@patrick-east
topdown/tokens: Fix verifying with multi-key JWKS
b560c71 
We were previously ignoring any keys beyond the first index in a set
of keys contained in a JWKS provided to the JWT builtins. We now will
attempt to use any of the keys found.

In addition we no longer raise an error if the key type doesn't match
the header. We will return the correct result as if the verification
failed (because it did..)

Fixes: open-policy-agent#1901
Signed-off-by: Patrick East <[email protected]>
@patrick-east patrick-east mentioned this issue Nov 26, 2019
Merged
patrick-east added a commit that referenced this issue Nov 26, 2019
@patrick-east
topdown/tokens: Fix verifying with multi-key JWKS
16a0aca 
We were previously ignoring any keys beyond the first index in a set
of keys contained in a JWKS provided to the JWT builtins. We now will
attempt to use any of the keys found.

In addition we no longer raise an error if the key type doesn't match
the header. We will return the correct result as if the verification
failed (because it did..)

Fixes: #1901
Signed-off-by: Patrick East <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@patrick-east patrick-east

Labels
bug
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

topdown/tokens: Fix verifying with multi-key JWKS patrick-east/opa
2 participants
@tsandall @patrick-east