From be4bc919ca5ffea94d11c43ef35a33c236386c60 Mon Sep 17 00:00:00 2001 From: Jinna Kiisuo Date: Mon, 9 Sep 2024 17:50:49 +0300 Subject: [PATCH] Update OIDC id_token_signing_alg_values_supported for wider algo support Previously the message verification required RS256 with no other checks on algo. While technically RS256 MUST be supported, some implementations have abandoned it's use as insecure and instead require for example ES256 as a minimum baseline. This change slightly relaxes the check in a future compatible way while still making sure an actual alg is specified instead of `none`. ```python >>> bad = ["none"] >>> good = ["ES256"] >>> dodgy = ["none", "RS256"] >>> empty = [] >>> any(i.lower() != "none" for i in dodgy) True >>> any(i.lower() != "none" for i in empty) False >>> any(i.lower() != "none" for i in good) True >>> any(i.lower() != "none" for i in bad) False ``` --- src/idpyoidc/message/oidc/__init__.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/idpyoidc/message/oidc/__init__.py b/src/idpyoidc/message/oidc/__init__.py index a1c9949f..7ac39c11 100644 --- a/src/idpyoidc/message/oidc/__init__.py +++ b/src/idpyoidc/message/oidc/__init__.py @@ -942,8 +942,11 @@ def verify(self, **kwargs): "token_endpoint_auth_signing_alg_values_supported" ) - if "RS256" not in self["id_token_signing_alg_values_supported"]: - raise ValueError("RS256 missing from id_token_signing_alg_values_supported") + # Check that any alg that is not "none" is supported. + # While OpenID Connect Core 1.0 says RS256 MUST be supported, + # reality has moved on and more modern alg values may be required. + if any(lower(i) != "none" for i in self["id_token_signing_alg_values_supported"]: + raise ValueError("Secure signing algorithm (for example RS256 or ES256) missing from id_token_signing_alg_values_supported") if not parts.query and not parts.fragment: pass