Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Apparent confusion of kty and alg #29

Closed
michielbdejong opened this issue Feb 15, 2021 · 2 comments
Closed

Apparent confusion of kty and alg #29

michielbdejong opened this issue Feb 15, 2021 · 2 comments

Comments

@michielbdejong
Copy link
Member

michielbdejong commented Feb 15, 2021
edited
Loading

The following DPoP token is not accepted by https://github.com/solid/identity-token-verifier:

{
  header: {
    alg: 'RS256',
    typ: 'dpop+jwt',
    jwk: {
      kty: 'RSA',
      kid: '3tjG2YeuINJZu1dsESrcDVLsH48wfPPJh_qvBX81Tcs',
      use: 'sig',
      alg: 'RSA',
      e: 'AQAB',
      n: '1JLhXFU_5eUoSXBg2QzuPL1zYgWY--3vEEgduukdODdieQXZOIWj2VKHxaHQzIgqQbZz8erx0DW6hGRbxKpkbVJbloK3zcVkPCooEctLDvTXARlpHihfAAh70IW2qK8jbaublaZ6WJg5pDLafLXwnMB6utg-MrdnFku_81WeDc93jCEs3UQOI80b_WpG1ZWnayy18cNKu-CyJIjwDjBpc7db5KTmkqkQdC-WKsHF4_-BM4nuX7zYQS6p1IUpjIBJDv2HkAaoanfP2xg42C3CBiFKHxBhYSytGgMRNX2Udj2ETDVCD0of2WCaRFqPQMuXtq_CWIFw6VflWDBq64iD_Q'
    }
  },
  payload: {
    htu: 'http://localhost:3000/.acl',
    htm: 'GET',
    jti: '4d7c8dd5-a899-4907-a551-36e1ba76a30b',
    iat: 1613376843,
    exp: 1613380443
  },
  signature: '0SKJZL17j4sjqIR6_4o4ocNUV3xq60gmbZpsVzjaHy0o67FlZ4P3q3yFuIS0-3MOts3RNp5I6YllBfti-b9A4aVUATOKJcNvwQercWw5vvMg3v252XjV8E86Ir3oDVAlqHTEYX89AjeZ73PN9gI0x8D3pP0mr1wcpZcvj7jM4u57XN3GTH4uYATQT1wdAhmz9y_sKSw_7K0zZOC8ItfDtfdr1FROn2UyWdVzLeI_pbKHLv7CyngoKbJPZrwqYQ9sKXSXw4m9IH6-71RPTHhCUxG1EyC6igytCi6QmuSYm1sBWin-tuuCGFFvLRn0A_yWxWwCc5Sq_xeH15bWXerzMA'
}

Note that both header.jwk.kty and header.jwk.alg have the value 'RSA'.
It makes community-server output a validation error which is thrown in https://github.com/solid/identity-token-verifier/blob/0cbb50406717496ecc900d1e3171b2f7ee946a31/src/guards/DPoPJWKGuard.ts#L65
It checks if RSA is in Set { 'RS256', 'RS384', 'RS512' }, which it is not.

And indeed, if you change header.jwk.alg to 'RS256', then community-server correctly logs:

Verified WebID via DPoP-bound access token: https://solid-crud-tests-example-1.solidcommunity.net/profile/card#me
@acoburn
Copy link

acoburn commented Feb 15, 2021

The jwk.alg field is incorrect. If present, the value should be one of those listed by IANA: https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms

In this case, the alg field should be RS256

@michielbdejong
Copy link
Member Author

Turns out NSS behaviour was fine, and it was solid-auth-fetcher that was setting the wrong value!

michielbdejong added a commit to solid-contrib/solid-auth-fetcher that referenced this issue Feb 16, 2021
@michielbdejong
Fix nodeSolidServer/oidc-op#29
8da3b42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@michielbdejong @acoburn