From 4a006fc0f33f7b06e5a4bd64d496ae9f6844bb23 Mon Sep 17 00:00:00 2001 From: Jinna Kiisuo Date: Mon, 9 Sep 2024 17:50:49 +0300 Subject: [PATCH] Update OIDC id_token_signing_alg_values_supported for wider algo support Previously the message verification required RS256 with no other checks on algo. While technically RS256 MUST be supported, some implementations have abandoned it's use as insecure and instead require for example ES256 as a minimum baseline. This change slightly relaxes the check in a future compatible way while still making sure an actual alg is specified instead of `none`. ```python >>> bad = ["none"] >>> good = ["ES256"] >>> dodgy = ["none", "RS256"] >>> empty = [] >>> any(i.lower() != "none" for i in dodgy) True >>> any(i.lower() != "none" for i in empty) False >>> any(i.lower() != "none" for i in good) True >>> any(i.lower() != "none" for i in bad) False ``` --- src/idpyoidc/message/oidc/__init__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/idpyoidc/message/oidc/__init__.py b/src/idpyoidc/message/oidc/__init__.py index a1c9949f..61154cfb 100644 --- a/src/idpyoidc/message/oidc/__init__.py +++ b/src/idpyoidc/message/oidc/__init__.py @@ -942,8 +942,11 @@ def verify(self, **kwargs): "token_endpoint_auth_signing_alg_values_supported" ) - if "RS256" not in self["id_token_signing_alg_values_supported"]: - raise ValueError("RS256 missing from id_token_signing_alg_values_supported") + # Check that any alg that is not "none" is supported. + # While OpenID Connect Core 1.0 says RS256 MUST be supported, + # reality has moved on and more modern alg values may be required. + if not any(i.lower() == "none" for i in self["id_token_signing_alg_values_supported"]): + raise ValueError("Secure signing algorithm (for example RS256 or ES256) missing from id_token_signing_alg_values_supported") if not parts.query and not parts.fragment: pass