Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

id token signed with unsupported algorithm Error (error at traefik-forward-auth) #429

Closed
AdriDevelopsThings opened this issue May 8, 2024 · 5 comments
Closed

id token signed with unsupported algorithm Error (error at traefik-forward-auth) #429

AdriDevelopsThings opened this issue May 8, 2024 · 5 comments

Comments

@AdriDevelopsThings
Copy link

I'm trying to verify a oidc token but I get the following error: id token signed with unsupported algorithm, expected [\"RS256\"] got \"ES256\". The openid-configurations key id_token_signing_alg_values_supported is ["ES256"]. The library should automatically recognize the algorithm.

go-oicd version: v2.2.1

Context: I'm using traefik-forward-auth what is using this library. They verify the token here: https://github.com/thomseddon/traefik-forward-auth/blob/master/internal/provider/oidc.go#L88. I'm not sure if the bug is in traefik-forward-auth or in go-oidc but I guess you can see the problem faster.

I already found this issue but traefik-forward-auth uses Verifier instead of NewVerifier. There is someone at traefik-forward-auth who has the same problem than me (thomseddon/traefik-forward-auth#358) but the supported algorithms should be recognized by this library automatically instead of adding them manually I guess.
@ericchiang
Copy link
Collaborator

The algorithms should already be detected through the id_token_signing_alg_values_supported key in discovery.

go-oidc/oidc/oidc.go

Line 138 in 22dfdca

Algorithms []string `json:"id_token_signing_alg_values_supported"`

go-oidc/oidc/oidc.go

Lines 242 to 255 in 22dfdca

var algs []string
for _, a := range p.Algorithms {
if supportedAlgorithms[a] {
algs = append(algs, a)
}
}
return &Provider{
issuer: issuerURL,
authURL: p.AuthURL,
tokenURL: p.TokenURL,
deviceAuthURL: p.DeviceAuthURL,
userInfoURL: p.UserInfoURL,
jwksURL: p.JWKSURL,
algorithms: algs,

go-oidc/oidc/verify.go

Lines 138 to 144 in 22dfdca

if len(config.SupportedSigningAlgs) == 0 && len(p.algorithms) > 0 {
// Make a copy so we don't modify the config values.
cp := &Config{}
*cp = *config
cp.SupportedSigningAlgs = p.algorithms
config = cp
}

What provider are you attempting to use this with? Do you have their discovery doc?

@AdriDevelopsThings
Copy link
Author

I'm using https://kanidm.github.io/. You can take a look to my openid configuration here.

@ericchiang
Copy link
Collaborator

Thanks! I was able to reproduce #430

Will get a fix in a sec

@ericchiang
Copy link
Collaborator

Actually, there was a bug in my test. With an e2e program, I'm not able to reproduce. The program appears to be correctly reading the ES256 algorithm

@ericchiang ericchiang mentioned this issue May 8, 2024
Merged
@AdriDevelopsThings
Copy link
Author

Thanks for your help but I found the problem: I was just using an old version of traefik-forward-auth. The current version works for me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ericchiang @AdriDevelopsThings