Google OpenID Connect can't locate which key to use
I'm not completely convinced I have identified this problem, but there's a more detailed explanation here: http://stackoverflow.com/questions/30342783/intermittant-bad-jws-signature-w-t-google-apps-open-id-authentication/31524820#31524820
Summary:
The main challenge with Google is that it seems to provide two alternate keys from its certificates endpoint. These have the same algorithm, but different key identifiers. Unfortunately, the default implementation of the Connect2D JWT decoder selects a key by algorithm alone (i.e., just the RS256), so it is down to luck which one you get first.
This means the key id (kid) is ignored, even though it is present in the JWT header. In effect, the verifier selected is 50% likely to be the wrong one, and therefore obviously won't verify. All lookups are sequential, so probably stable, leading the observed behaviour of periods of consistent success or failure.
A correct implementation of the JWT decoder should probably:
- Use the kid as well as the algorithm to select which key to use
- If no verifier is available for a given kid, should probably re-fetch the keys from the discovery API endpoint. This is because Google change their keys pretty often anyway, so if you initialize once you'll never get the new keys.
Comments (8)
-
reporter -
Hi Stuart,
Which version of the library are you using?
The 4.0 release candidates include a new framework for key selection which should be able to handle multiple key IDs.
-
reporter I'm using 3.4.1 -- this is a dependency from pac4j. However, I've had a look at the sources, and I can't see where in the DefaultJWTDecoder the key identifiers are used to select the appropriate verifier. In theory the verifier itself might handle multiple keys, but that'd be in the JOSE component not here.
There are API differences too, I've come across one already in AuthorizationCodeGrant which means I'll need to work around that at least to upgrade.
Maybe if you could point me at this new framework, or even better an example of its use, I could have a go at working it through. I'm already patching the hell out of pac4j because it couldn't provide absolute URLs properly.
-
Hi Stuart,
Sorry, there was a bit of a mix up, it is the Nimbus JOSE+JWT lib that now has a brand new framework for processing JWTs (http://connect2id.com/blog/nimbus-jose-jwt-4.0-rc1), however, its integration into the OIDC SDK is still on our to do list. We're currently busy completing a new release of the Connect2id server, and will not be able to dedicate time on the SDK until 29 July.
If you're using v3.4.1 of the OIDC SDK you have two options:
-
Implement an alternative JWTDecoder.
-
Extend the JWSVerifier implementation to support key ID lookup.
The first approach will probably be the easier of the two.
-
-
reporter That's fine -- and I've already started doing that (option 1). I'm not expecting much effort from anyone else on this, but since there are a number of sporadic reports of the JWS signature verification failing, especially for Google OIDC, I thought it a good idea to have some public issues around that could mark the causes of the problem.
-
This is very considerate of you. Happy coding! :)
-
Hi,
I think I have run into this issue and was wondering if it has been resolved and I am implementing the decoding process wrong or if it will be resolved in the 5.0 release.
Regards
-
- changed status to resolved
There's now a new IDTokenVerifier with support for automatic JWK set download, caching and key rotation:
http://connect2id.com/blog/how-to-validate-an-openid-connect-id-token
Requires
http://www.javadoc.io/doc/com.nimbusds/oauth2-oidc-sdk/5.0-alpha15
- Log in to comment
Relevant spec sections for reference:
http://openid.net/specs/openid-connect-core-1_0.html#Signing
...