[Update to 2.9.1] ID token signed with an unsupported algorithm

[ZPascal]

[Update to 2.9.1] ID token signed with an unsupported algorithm

Summary

Hi @p53, after the update to 2.9.1, I'm facing an issue with the ID token and the proxy mentioned that the signature algorithm is not supported. I'm running Keycloak with default settings and I've already tried to adjust the client settings and signature algorithm on the Keycloak side to a listed algorithm (error message). After changing the algorithm the issue persists. The corresponding error occurs after the update from Gatekeeper version 2.9.0 to 2.9.1. Do you have changed something related to the signature algorithm?

Environment

• OS: Debian 10 Buster
• Kernel: Linux 4.19.0-24-amd64
• Go: 1.20
• Server: Keycloak 23.0.1 (behind an Apache2 reverse proxy)
• Gatekeeper: 2.9.1

Expected Results

The calls should work as expected and deliver the same result as with version 2.9.0 of the gatekeeper.

Actual Results

refresh token failed verification {"error": "invalid token signature\noidc: id token signed with unsupported algorithm, expected [\"PS384\" \"ES384\" \"RS384\" \"ES256\" \"RS256\" \"ES512\" \"PS256\" \"PS512\" \"RS512\"] got \"HS256\""}

[p53]

Hi, thanks for reporting,   --skip-access-token-clientid-check=true   --skip-access-token-issuer-check=true do you have these set like this? Propably you have these false? Anyway i need to update code of token verification i was doing on Friday/Saturday, because these checks should be turned off for refresh token and they are not turned off right now so it might show false error. I will have to add also e2e tests for this.

[p53]

@ZPascal fixed issue, please try 2.9.2-rc1

[bogbert]

I still have the problem with the 2.9.2

[ZPascal]

I've tested the pre-release and can confirm that the solution does not work.

[p53]

@ZPascal @bogbert could you please provide cmd line options which are you using and also some logs would be useful, you can post me also private msg on Discord, if you don't want to publish it here

[p53]

ok, tried now, i see, hmm interesting why it wasn't catched by e2e tests, will have to look more closely on this, seems keycloak is using HS256 algorithm for refresh token signature not RS256 and it cannot be changed, probably they wanted this as another layer of security keycloak/keycloak#19893, but as i can see discovery endpoint returns also HS256 among supported algorithms, need to check more deeply what is happening

[p53]

ok seems like module used for token verification doesn't support HS256

[p53]

also see why it wasn't catched by e2e, refresh tokens were not enabled, i thought that they are, will add that option there

[bogbert]

I found an interesting post: https://keycloak.discourse.group/t/rs256-for-refresh-tokens/6849
According to mbonn's reply, Gatekeeper doesn't have to check the refresh token signature. This signature is produced by Keycloak and is only meant to be checked by Keycloak itself, that's why they can use HS256 (an algorithm with a symmetric key), and that's why libraries such as go-oidc don't support HS256.

[p53]

@bogbert yes i know that keycloak will be checking it, i wanted to make it more secure ;), some other libs support also HS256 but in this case we will probably have to leave it like it is or make it separate feature as this would require to have also keycloak key for verifying hmac signature on refresh token and adding new library which i am a little bit afraid of because of quality of libs. Refresh tokens are already encrypted so this is some "replacement" for verifying validity of token

[p53]

@bogbert @p53 you can try 2.9.3-rc1, i checked manually and also added e2e, looks fine

[ZPascal]

@p53 I've tested 2.9.3-rc1 and can confirm that it works on my side as expected. Thank you.

[bogbert]

It doesn't work for me, I have tls errors:

2023-12-08T10:15:45.135+0100    info    issuing access token for user   {"sub": "<user id>", "expires": "2023-12-08T10:16:45+01:00", "duration": "59.864084981s"}
2023-12-08T10:15:45.179+0100    error   Get "https://<fqdn>/auth/realms/<realm>/protocol/openid-connect/userinfo": tls: failed to verify certificate: x509: certificate is not valid for any names, but wanted tomatch <fqdn>

maybe skip-openid-provider-tls-verify: true is ignored

[p53]

@bogbert this seems to be different issue, didn't touch these things, do you have idp session check on? Are you sure you don't have duplicate skip-openid-provider-tls-verify option once true and once false, can you post me config?

[bogbert]

@bogbert this seems to be different issue, didn't touch these things, do you have idp session check on?

No I don't use this option.
skip-openid-provider-tls-verify is present only once, and it's set to true
BTW, everything is working fine with 2.9.0, same settings
I'll send you my config by mail

[p53]

@bogbert ok see where is the problem, idp session check is now on by default...but seems problem is in underlying library, Userinfo which calls is provider method, we correctly set provider options and insecure skip verify to true but this method ignores any settings in provider, quite unexpected, will need to check on library code if this was intentional for some reason or it is just bug, actually we already create new contexts with proper settings in code because of this, it should at least take provider settings as defaults and in case settings are provided in context take those, will have to probably make some comments in code for future

[p53]

@bogbert you can try 2.9.3-rc2, that should do the trick, i didn't have time to setup/test it manually, will add tests later when i have time, also created issue coreos/go-oidc#402

[bogbert]

It's working with 2.9.3-rc2, thank you.