-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Update to 2.9.1] ID token signed with an unsupported algorithm #394
Comments
Hi,
thanks for reporting,
--skip-access-token-clientid-check=true --skip-access-token-issuer-check=true
do you have these set like this? Propably you have these false? Anyway i need to update code of token verification i was doing on Friday/Saturday, because these checks should be turned off for refresh token and they are not turned off right now so it might show false error. I will have to add also e2e tests for this.
|
@ZPascal fixed issue, please try 2.9.2-rc1 |
I still have the problem with the 2.9.2 |
I've tested the pre-release and can confirm that the solution does not work. |
ok, tried now, i see, hmm interesting why it wasn't catched by e2e tests, will have to look more closely on this, seems keycloak is using HS256 algorithm for refresh token signature not RS256 and it cannot be changed, probably they wanted this as another layer of security keycloak/keycloak#19893, but as i can see discovery endpoint returns also HS256 among supported algorithms, need to check more deeply what is happening |
ok seems like module used for token verification doesn't support HS256 |
also see why it wasn't catched by e2e, refresh tokens were not enabled, i thought that they are, will add that option there |
I found an interesting post: https://keycloak.discourse.group/t/rs256-for-refresh-tokens/6849 |
@bogbert yes i know that keycloak will be checking it, i wanted to make it more secure ;), some other libs support also HS256 but in this case we will probably have to leave it like it is or make it separate feature as this would require to have also keycloak key for verifying hmac signature on refresh token and adding new library which i am a little bit afraid of because of quality of libs. Refresh tokens are already encrypted so this is some "replacement" for verifying validity of token |
@p53 I've tested 2.9.3-rc1 and can confirm that it works on my side as expected. Thank you. |
It doesn't work for me, I have tls errors:
maybe |
@bogbert this seems to be different issue, didn't touch these things, do you have idp session check on? Are you sure you don't have duplicate |
No I don't use this option. |
@bogbert ok see where is the problem, idp session check is now on by default...but seems problem is in underlying library, Userinfo which calls is provider method, we correctly set provider options and insecure skip verify to true but this method ignores any settings in provider, quite unexpected, will need to check on library code if this was intentional for some reason or it is just bug, actually we already create new contexts with proper settings in code because of this, it should at least take provider settings as defaults and in case settings are provided in context take those, will have to probably make some comments in code for future |
@bogbert you can try 2.9.3-rc2, that should do the trick, i didn't have time to setup/test it manually, will add tests later when i have time, also created issue coreos/go-oidc#402 |
It's working with 2.9.3-rc2, thank you. |
[Update to 2.9.1] ID token signed with an unsupported algorithm
Summary
Hi @p53, after the update to 2.9.1, I'm facing an issue with the ID token and the proxy mentioned that the signature algorithm is not supported. I'm running Keycloak with default settings and I've already tried to adjust the client settings and signature algorithm on the Keycloak side to a listed algorithm (error message). After changing the algorithm the issue persists. The corresponding error occurs after the update from Gatekeeper version 2.9.0 to 2.9.1. Do you have changed something related to the signature algorithm?
Environment
Expected Results
The calls should work as expected and deliver the same result as with version 2.9.0 of the gatekeeper.
Actual Results
The text was updated successfully, but these errors were encountered: