Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UserInfo does not check for declared key usage when selecting encryption key #294

Closed
matteo-s opened this issue Dec 15, 2023 · 2 comments
Closed
Labels
bug Something isn't working help wanted Extra attention is needed

Comments

@matteo-s
Copy link

While building the userInfo response the provider fetches the client keys and then merely picks the first with a non-empty kid, without checking it's intended usage.
If the client exposes 2 keys, one for signing and one for encryption, the provider by picking the first will either:

  • pick the right one (by luck) just because it is the first in the list
  • pick the wrong one and use the sig key against it's intended usage

        for k in client_jwks:
            if k.get('kid') and len(k["kid"]) >= 1:
                client_jwk = k
                break
@peppelinux peppelinux added bug Something isn't working help wanted Extra attention is needed labels Dec 15, 2023
@peppelinux
Copy link
Member

Ok, we just have to create a utility function, like this

def get_jwk_from_jwt(jwt: str, provider_jwks: dict) -> dict:
where an jwks is passed and an argument set(enc, sig) to get the first key according to the scope

in the current specs we don't have defined this detail about the key but it is a good practice having different keys for different scopes

@rglauco
Copy link
Collaborator

rglauco commented Mar 13, 2024

Fixed in #311

@rglauco rglauco closed this as completed Mar 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

3 participants