regression: JWK must contain an alg parameter

[mtron]

Steps to reproduce

* update user_oidc from 1.3.3 to 1.3.4

Expected behavior

• login still works as usual

Actual behaviour

After updating login via oidc is not possible any more. Error:

  "Exception": "UnexpectedValueException",
   "Message": "JWK must contain an "alg" parameter",

Downgrading user_oidc to 1.3.3. fixes the issue.

It seems my oidc idp (shibboleth with oidc plugin) does not supply this param and according to rfc-7517 alg is optional

The "alg" value is a case-sensitive ASCII string. Use of this member is OPTIONAL.

Help please

[dvoijen]

Here the same issue, however rolling back does not work either.
When doing that the OpenID Connect configuration page is empty cannot add a configuration.
@mtron how did you Downgrade?

[acn128]

I have the same problem (using LemonLDAP::NG as OpenID backend).

Downgrading to 1.3.3 did resolve the problem for me, I've used the file from here:
https://apps.nextcloud.com/apps/user_oidc/releases?platform=28#28
https://github.com/nextcloud-releases/user_oidc/releases/download/v1.3.3/user_oidc-v1.3.3.tar.gz

I removed the user_oidc folder from my Nextcloud's "apps" directory on my Linux server and unpacked the tar.gz there, so I got a new user_oidc folder with v1.3.3

[dvoijen]

@acn128 works now indeed, i downlaoded the wrong package!!!
many thanks!!!

[julien-nc]

Hey, I can't reproduce this issue. I need more details on the Exception that is raised. Could someone provide the full log line?

[acn128]

Hi,
here a entry from nextcloud.log (some ids redacted):

{"reqId":"xxx","level":3,"time":"2023-11-20T12:36:59+00:00","remoteAddr":"193.197.165.9","user":"--","app":"index","method":"GET","url":"/apps/user_oidc/code?code=xxx&state=xxx&session_state=xxx","message":"JWK must contain an \"alg\" parameter","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0","version":"25.0.13.2","exception":{"Exception":"UnexpectedValueException","Message":"JWK must contain an \"alg\" parameter","Code":0,"Trace":[{"file":"/var/www/xxx/apps/user_oidc/lib/Vendor/Firebase/JWT/JWK.php","line":69,"function":"parseKey","class":"OCA\\UserOIDC\\Vendor\\Firebase\\JWT\\JWK","type":"::"},{"file":"/var/www/xxx/apps/user_oidc/lib/Service/DiscoveryService.php","line":85,"function":"parseKeySet","class":"OCA\\UserOIDC\\Vendor\\Firebase\\JWT\\JWK","type":"::"},{"file":"/var/www/xxx/apps/user_oidc/lib/Controller/LoginController.php","line":417,"function":"obtainJWK","class":"OCA\\UserOIDC\\Service\\DiscoveryService","type":"->"},{"file":"/var/www/xxx/lib/private/AppFramework/Http/Dispatcher.php","line":225,"function":"code","class":"OCA\\UserOIDC\\Controller\\LoginController","type":"->"},{"file":"/var/www/xxx/lib/private/AppFramework/Http/Dispatcher.php","line":133,"function":"executeController","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/xxx/lib/private/AppFramework/App.php","line":172,"function":"dispatch","class":"OC\\AppFramework\\Http\\Dispatcher","type":"->"},{"file":"/var/www/xxx/lib/private/Route/Router.php","line":298,"function":"main","class":"OC\\AppFramework\\App","type":"::"},{"file":"/var/www/xxx/lib/base.php","line":1053,"function":"match","class":"OC\\Route\\Router","type":"->"},{"file":"/var/www/xxx/index.php","line":36,"function":"handleRequest","class":"OC","type":"::"}],"File":"/var/xxx/wolke/apps/user_oidc/lib/Vendor/Firebase/JWT/JWK.php","Line":112,"CustomMessage":"--"}}

Is this helpful?

[julien-nc]

@acn128 Yes it's very useful, thanks. I could artificially remove the "alg" field provided by Keycloak and reproduce the bug. The alg is now set for the relevant key on the fly using the alg value contained in the ID token. Long story short: #713 should fix the problem.

Could someone try it on their side?

[julien-nc]

A fix is included in v1.3.5
Anyone tried it?

[mtron]

Yes, v1.3.5 works, thx.