Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(jans-auth-server): rename "key_ops" -> "key_ops_type" (some frameworks does not allow custom key_ops like "ssa") #3790

Closed
yuriyz opened this issue Feb 6, 2023 · 1 comment · Fixed by #3791 or #3792
Closed

feat(jans-auth-server): rename "key_ops" -> "key_ops_type" (some frameworks does not allow custom key_ops like "ssa") #3790

yuriyz opened this issue Feb 6, 2023 · 1 comment · Fixed by #3791 or #3792
Assignees
@yuriyz
Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Milestone
1.0.7

Comments

@yuriyz
Copy link
Contributor

yuriyz commented Feb 6, 2023

Description

AS publishes jwks with key_ops as following:

  • for Connect purpose: "key_ops": ["connect"]
  • for SSA purpose: "key_ops": ["ssa"]

Nimbus has strict list of key_ops defined and does not allow custom values like, connect or ssa. It leads to failure for any JWT validation pointed to our remote jwks.

06-02 15:17:08.907 ERROR gluu.casa.core.OIDCFlowService OIDCFlowService.java:241- Couldn't parse remote JWK set: Invalid JWK at position 0: Invalid JW
K operation: connect                                                                                                                                  
com.nimbusds.jose.RemoteKeySourceException: Couldn't parse remote JWK set: Invalid JWK at position 0: Invalid JWK operation: connect                  
        at com.nimbusds.jose.jwk.source.RemoteJWKSet.updateJWKSetFromURL(RemoteJWKSet.java:313) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6]                  
        at com.nimbusds.jose.jwk.source.RemoteJWKSet.get(RemoteJWKSet.java:437) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6]                                  
        at com.nimbusds.jose.proc.JWSVerificationKeySelector.selectJWSKeys(JWSVerificationKeySelector.java:157) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6]  
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.selectKeys(DefaultJWTProcessor.java:283) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6]                    
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:354) ~[nimbus-jose-jwt-9.25.6.jar:9.25.6]                       
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321) ~[oauth2-oidc-sdk-10.4.jar:10.4]           
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254) ~[oauth2-oidc-sdk-10.4.jar:10.4]           
        at org.gluu.casa.core.OIDCFlowService.validateIDToken(OIDCFlowService.java:237) ~[classes/:?]

Here is source code of nimbus:
https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/src/main/java/com/nimbusds/jose/jwk/KeyOperation.java

Anyone can use nimbus for validation. We can't allow it fail.

Thus idea is to rename "key_ops" -> "key_ops_type" in our jwks

Related: #3415
@yuriyz yuriyz added comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request labels Feb 6, 2023
@yuriyz yuriyz added this to the 1.0.7 milestone Feb 6, 2023
@yuriyz yuriyz self-assigned this Feb 6, 2023
@yuriyz
Copy link
Contributor Author

yuriyz commented Feb 6, 2023

cc @iromli @jgomer2001 @devrimyatar

yuriyz added a commit that referenced this issue Feb 7, 2023
@yuriyz
feat(jans-auth-server): renamed "key_ops" -> "key_ops_type" #3790
414c1d9 
Some frameworks does not allow custom key_ops like "ssa" (e.g. nimbus)
@yuriyz yuriyz mentioned this issue Feb 7, 2023
Merged
yuriyz added a commit that referenced this issue Feb 7, 2023
@yuriyz
feat(jans-auth-server): renamed "key_ops" -> "key_ops_type" #3790 (#3791
cadb3d6 
)

Some frameworks does not allow custom key_ops like "ssa" (e.g. nimbus)
yuriyz added a commit that referenced this issue Feb 7, 2023
@yuriyz
feat(jans-auth-server): renamed "key_ops" -> "key_ops_type" #3790
18f1139 
Some frameworks does not allow custom key_ops like "ssa" (e.g. nimbus)
@yuriyz yuriyz mentioned this issue Feb 7, 2023
Merged
yuriyz added a commit that referenced this issue Feb 7, 2023
@yuriyz
feat(jans-auth-server): renamed "key_ops" -> "key_ops_type" #3790 (#3792
7a6bcba 
)

Some frameworks does not allow custom key_ops like "ssa" (e.g. nimbus)
@mo-auto mo-auto mentioned this issue Feb 22, 2023
Merged
This was referenced Feb 22, 2023
Merged
Merged
This was referenced Feb 22, 2023
Merged
Merged
This was referenced Feb 22, 2023
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yuriyz yuriyz

Labels
comp-jans-auth-server Component affected by issue or PR kind-feature Issue or PR is a new feature request
Projects
None yet
Milestone
1.0.7
1 participant
@yuriyz