oidc: at_hash / c_hash mismatch #338
Comments
|
Thanks for reporting, I think I know what the issue is. Go is encoding |
|
Maybe |
|
Yes, I think the bug applies to all hashes! |
|
I hope the commit above resolves this issue. Would you mind trying it out? The PR is #329 |
|
Are the prerelease builds stored anywhere? |
|
No unfortunately not, I'll just release it and fix it in the next minor release if there's still something wrong |
|
I'll reopen if the issues persist |
|
Please reopen. The seems to persist for "code" response_type: |
|
Ah, apparently the problem now is the padding, Go adds two equals Since libraries should be able to deal with base64url encoding and padding (which is not omitted by default), I will create a patch for the dependency. I was not able to find information on padding in the oidc spec. The patch is quite trivial: function validate(actual, token) {
if (!actual) return false;
actual = actual.replace(/=+$/, '')
const alg = LENGTHS[actual.length];
if (!alg) return false;
return generate(token, alg) === actual;
} |
aeneasr
added
upstream
|
The PR is now here: panva/oidc-token-hash#1 Please notify the maintainers of the change, maybe they need to upgrade their package.json |
|
Thank you! |
|
No, I'm not certain that the padding should be left in, but let's see what the maintainer says! The library (oidc-token-hash) does not seem to be certified and also not widely used (this was the first PR). Unfortunately, I could not find a oidc connect reference implementation for Go. |
|
The linki https://www.npmjs.com/package/openid-client says it's certified. |
|
Yes, that one is certified, I'm just not sure if that includes the oidc-token-hash dependency :) |
|
Even the reference table on wikipedia is confusing :D https://en.wikipedia.org/wiki/Base64#Implementations_and_history |
|
And I can't find any base64url encoded values (in the docs and here: Maybe it's yet another thing that's undocumented but everyone does it. |
|
Let's wait and see what the maintainer says. I'm open to remove the padding, just want to make sure it's not a special case :) |
|
|
|
Ok, I think I'll just omit it then! Feel free to accept/close the PR :) |
|
I think stripping the paddings to produce valid hashes is the way to go, nevertheless the PR is merged, version published and @janekolszak just needs to update his locked dependencies. |
|
Ok, thanks for the quick response times! |
|
oidc-token-hash is simply a shared piece of code for node-openid-client and node-oidc-provider to produce and validate these hashes, made no sense to have the same js file in both libraries :) |
|
@panva sorry if I ask so directly, but how did you get the library certified and did it cost money? I intend to get some certifications for this repo as well! |
|
@arekkas the tools and processes are linked at http://openid.net/certification/, they are btw great tools to validate your functionality, for example the padding would have been checked and rejected by the OP testing tool. Hit me up via email if you'd like more details. |
|
Awesome, thank you so much! |
Hi!
I get a
c_hashmismatch when using https://www.npmjs.com/package/openid-client.Query:
Decoded id_token:
{ "alg": "RS256", "typ": "JWT" } { "aud": "wta-d", "auth_time": 1482968523, "c_hash": "ZUU3TUliNXh6UFROZUoyTXBPOUY3QT09", "exp": 1482972123, "iat": 1482968523, "iss": "https://oidc.worktimeassistant.com", "nonce": "8fae4451-df12-4fec-8cc4-1f5fff43b283", "sub": "b328c472-4f19-40f7-a839-db0f7e90bc23" }c_hashin theid_tokenseems to be too wrong.sha256sumreturns:The text was updated successfully, but these errors were encountered: