Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[58320] Exposing sign in service public key for access token decoding #12814

Merged
merged 0 commits into from
May 26, 2023
Merged

[58320] Exposing sign in service public key for access token decoding #12814

merged 0 commits into from
May 26, 2023

Conversation

bosawt
Copy link
Contributor

@bosawt bosawt commented May 25, 2023
edited by bramleyjl
Loading

Summary

  • This PR adds a route: /sign_in/openid_connect/certs , that allows for any Sign in Service client to retrieve the public key associated with encoded access_token jets. This can be useful for clients to decode the access tokens and confirm this access token came from the sign in service

Related issue(s)

Testing done

  • Made a request to: localhost:3000/sign_in/openid_connect/certs, confirmed response:
    {"keys":[{"kty":"RSA","n":"q-pGrTVuIUeEXkcJAftVRfw3SSCZOXisy6SQ6ArhxirP5vvP2e0kN2XnSmBsIln05KnjLaOc5Ai-tDZk-euknDiBO_1qqUHg2LyCefyZYKtBdTfaGS-pVVfGfUo56WnAiRU5B43kvHCT8LDqy9hWI5Rf34p0KinLoOhtcwJEmdhnqw-DYxHSKAd55pl-pTPsvj2fj2yRJ_JRS6JrFTNYW3BSHQPaPYLtfrBEYXj6W-Xca3l0M9TNkqPycP5XNmk--6d1aaGvVXzLSeCoi0XvaQ6kQxStzPFpRiBBvM7kqRpPwzZH1Cck3JUdeKAbTfemBKOKW3Xi0gL58WtHLHmsIQ","e":"AQAB","alg":"RS256","use":"sig","kid":"3466532fee9067b03724e8afe31d567cadc0bd8a54b0635c8f93f4651b0c432e"}]}

What areas of the site does it impact?

Sign in Service Authentication

Acceptance criteria

  • Hit the following endpoint: localhost:3000/sign_in/openid_connect/certs
  • Decode the resulting JWK and confirm this is the intended certificate (intended certificate is the public_key corresponding to Settings.sign_in.jwt_encode_key
  • Confirm the resulting JWK does NOT expose the Sign in Service encoding private key

@bosawt bosawt requested review from a team as code owners May 25, 2023 23:42
@va-vfs-bot va-vfs-bot temporarily deployed to 58320_sign_in_service_public_key/main/main May 25, 2023 23:52 Inactive
@joeniquette
Copy link
Contributor

@bosawt Im not able to extract the public cert from the URL. I tried to use the jwt.io site and decode the value at the n atttribute and got an error saying the signature wasn't valid. I then went the rails route and tried:

uri = URI.parse('http://localhost:3000/sign_in/openid_connect/c
erts')
response = JSON.parse(Net::HTTP.get_response(uri).body)
jwk = response['keys'].first
public_key = JWT::JWK::RSA.import(jwk).public_key

the result of printing public_key returned basically a blank key, I think. I at least have never seen it this way. Perhaps this is expected?
#<OpenSSL::PKey::RSA:0x0000000147cb0f28 oid=rsaEncryption>

@bramleyjl
Copy link
Contributor

the result of printing public_key returned basically a blank key, I think. I at least have never seen it this way. Perhaps this is expected? #<OpenSSL::PKey::RSA:0x0000000147cb0f28 oid=rsaEncryption>

@joeniquette I followed your steps and tried printing it out to a string, looks fine to me?

3.2.0 :014 > public_key.to_s
 => "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq+pGrTVuIUeEXkcJAftV\nRfw3SSCZOXisy6SQ6ArhxirP5vvP2e0kN2XnSmBsIln05KnjLaOc5Ai+tDZk+euk\nnDiBO/1qqUHg2LyCefyZYKtBdTfaGS+pVVfGfUo56WnAiRU5B43kvHCT8LDqy9hW\nI5Rf34p0KinLoOhtcwJEmdhnqw+DYxHSKAd55pl+pTPsvj2fj2yRJ/JRS6JrFTNY\nW3BSHQPaPYLtfrBEYXj6W+Xca3l0M9TNkqPycP5XNmk++6d1aaGvVXzLSeCoi0Xv\naQ6kQxStzPFpRiBBvM7kqRpPwzZH1Cck3JUdeKAbTfemBKOKW3Xi0gL58WtHLHms\nIQIDAQAB\n-----END PUBLIC KEY-----\n"

bramleyjl
bramleyjl approved these changes May 26, 2023
View reviewed changes
Copy link
Contributor

@bramleyjl bramleyjl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and got a public key, LGTM!

@bosawt
Copy link
Contributor Author

bosawt commented May 26, 2023

@bosawt Im not able to extract the public cert from the URL. I tried to use the jwt.io site and decode the value at the n atttribute and got an error saying the signature wasn't valid. I then went the rails route and tried:

uri = URI.parse('http://localhost:3000/sign_in/openid_connect/c
erts')
response = JSON.parse(Net::HTTP.get_response(uri).body)
jwk = response['keys'].first
public_key = JWT::JWK::RSA.import(jwk).public_key

the result of printing public_key returned basically a blank key, I think. I at least have never seen it this way. Perhaps this is expected? #<OpenSSL::PKey::RSA:0x0000000147cb0f28 oid=rsaEncryption>

@joeniquette Were you able to figure this out for you? I admit I'm not in love with the JWK thing as it's a pain to get the public key out of it, but 🤷 I guess it's part of the OIDC spec

ryan-mcneil
ryan-mcneil approved these changes May 26, 2023
View reviewed changes
Copy link
Contributor

@ryan-mcneil ryan-mcneil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@joeniquette
Copy link
Contributor

joeniquette commented May 26, 2023 via email

@bosawt bosawt merged commit b103958 into master May 26, 2023
@bosawt bosawt deleted the 58320_sign_in_service_public_key branch May 26, 2023 17:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryan-mcneil ryan-mcneil ryan-mcneil approved these changes

@bramleyjl bramleyjl bramleyjl approved these changes

Assignees
No one assigned
Labels
console-services-review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@bosawt @joeniquette @bramleyjl @ryan-mcneil @va-vfs-bot