Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

EdDSA is an unsupported algorithm #691

Closed
radriaanse opened this issue Apr 10, 2021 · 0 comments · Fixed by #818
Closed

EdDSA is an unsupported algorithm #691

radriaanse opened this issue Apr 10, 2021 · 0 comments · Fixed by #818

Comments

@radriaanse
Copy link

Describe the bug

Bit in between a bug report and feature request :)

The oathkeeper credentials generate command seems to have support for the EdDSA algorithm but when you try to actually use it in an id_token mutator the following error is thrown:

credentials: signing key \"c6fd7086-392a-404e-a210-40ab68d562ff\" declares unsupported algorithm \"EdDSA\"

This seems to be because

oathkeeper/credentials/signer_default.go

Line 32 in 9ad41f0

method := jwt.GetSigningMethod(key.Algorithm)

and form3tech-oss/jwt-go has no support for EdDSA, only ES*

Reproducing the bug

Kratos & Oathkeeper running inside docker behind Envoy using extensions.filters.http.ext_authz.v3.ExtAuthz

Server logs

{
  "audience": "application",
  "error": {
    "message": "credentials: signing key \"c6fd7086-392a-404e-a210-40ab68d562ff\" declares unsupported algorithm \"EdDSA\"",
    "trace": "\ngithub.com/ory/oathkeeper/credentials.(*DefaultSigner).Sign\n\t/home/ory/credentials/signer_default.go:34\ngithub.com/ory/oathkeeper/pipeline/mutate.(*MutatorIDToken).Mutate\n\t/home/ory/pipeline/mutate/mutator_id_token.go:195\ngithub.com/ory/oathkeeper/proxy.(*RequestHandler).HandleRequest\n\t/home/ory/proxy/request_handler.go:321\ngithub.com/ory/oathkeeper/api.(*DecisionHandler).decisions\n\t/home/ory/api/decision.go:109\ngithub.com/ory/oathkeeper/api.(*DecisionHandler).ServeHTTP\n\t/home/ory/api/decision.go:63\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/reqlog.(*Middleware).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.163/reqlog/middleware.go:134\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/oathkeeper/metrics.(*Middleware).ServeHTTP\n\t/home/ory/metrics/middleware.go:88\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/x/metricsx.(*Service).ServeHTTP\n\t/go/pkg/mod/github.com/ory/x@v0.0.163/metricsx/middleware.go:261\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/urfave/negroni.(*Negroni).ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:96\nnet/http.serverHandler.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2887\nnet/http.(*conn).serve\n\t/usr/local/go/src/net/http/server.go:1952\nruntime.goexit\n\t/usr/local/go/src/runtime/asm_amd64.s:1371"
  },
  "file": "/home/ory/proxy/request_handler.go:327",
  "func": "github.com/ory/oathkeeper/proxy.(*RequestHandler).HandleRequest",
  "granted": false,
  "http_host": "myhost",
  "http_method": "GET",
  "http_url": "myurl",
  "http_user_agent": "",
  "level": "warning",
  "msg": "The mutation handler encountered an error",
  "mutation_handler": "id_token",
  "reason_id": "mutation_handler_error",
  "rule_id": "protected",
  "service_name": "ORY Oathkeeper",
  "service_version": "v0.38.9-beta.1",
  "subject": "891cd8e1-5f59-4d83-af8b-0e314e27497b",
  "time": "2021-04-10T12:53:10Z"
}

Server configuration

# oathkeeper credentials generate --alg EdDSA
{
  "keys": [
    {
      "use": "sig",
      "kty": "OKP",
      "kid": "b0df1304-04c3-4ad7-959a-37d1f977602d",
      "crv": "Ed25519",
      "alg": "EdDSA",
      "x": "m31F4lUXAki4K3JOlAlzPmyP-eOSkaR5DNF8hFLa8As",
      "d": "dUZsMmvztotUPcw-rQfgkc74bVz-zS9AYk5cUll4EJw"
    }
  ]
}
# oathkeeper.yml

version: v0.38.9-beta.1

log:
  level: trace
  format: json
  leak_sensitive_values: true

access_rules:
  matching_strategy: regexp
  repositories:
    - file:///home/ory/access-rules.yml

authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: http://kratos:4433/sessions/whoami
      preserve_path: true
      extra_from: "@this"
      subject_from: "identity.id"
      only:
        - ory_kratos_session

authorizers:
  allow:
    enabled: true

mutators:
  id_token:
    enabled: true
    config:
      issuer_url: http://oathkeeper:4455/
      jwks_url: file:///home/ory/id_token.jwks.json

errors:
  fallback:
    - json

  handlers:
    json:
      enabled: true
      config:
        verbose: true
# access-rules.yml

- id: "protected"
  match:
    url: "myurl"
    methods:
      - GET
  authenticators:
    - handler: cookie_session
  authorizer:
    handler: allow
  mutators:
    - handler: id_token
  errors:
    - handler: json

Expected behavior

Since the primary use case of the credentials generate command (as far as I know at least) is to use the resulting key inside the id_token mutator, it might be better either warn it's not possible to use it that way to remove the option.

It doesn't seem like there's any issue upstream for implementing it as well.

Environment

  • Version: v0.38.9-beta.1 9ad41f0
  • Environment: Docker
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(jwt): replace jwt module ecktom/oathkeeper
1 participant
@radriaanse