colin
/
bookstack
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fixed OIDC JWT key parsing in microsoft environments 

Made existence of 'alg' optional when JWK array set so we instead infer
it as RSA256 if not existing.

Fixes #3206
This commit is contained in:
Dan Brown 2022-01-28 14:00:55 +00:00
parent c11f795c1d
commit 73eac83afe
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 32 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/Auth/Access/Oidc/OidcJwtSigningKey.php
View File

@ -60,8 +60,11 @@ class OidcJwtSigningKey
*/ */
protected function loadFromJwkArray(array $jwk) protected function loadFromJwkArray(array $jwk)
{ {
if ($jwk['alg'] !== 'RS256') { // 'alg' is optional for a JWK, but we will still attempt to validate if
throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}"); // it exists otherwise presume it will be compatible.
$alg = $jwk['alg'] ?? null;
if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
} }
if (empty($jwk['use'])) { if (empty($jwk['use'])) {

3
app/Auth/Access/Oidc/OidcProviderSettings.php
View File

@ -164,7 +164,8 @@ class OidcProviderSettings
protected function filterKeys(array $keys): array protected function filterKeys(array $keys): array
{ {
return array_filter($keys, function (array $key) { return array_filter($keys, function (array $key) {
return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256'; $alg = $key['alg'] ?? null;
return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) || $alg === 'RS256');
}); });
} }

25
tests/Auth/OidcTest.php
View File

@ -318,6 +318,31 @@ class OidcTest extends TestCase
$this->assertCount(4, $transactions); $this->assertCount(4, $transactions);
} }
public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property()
{
$this->withAutodiscovery();
$keyArray = OidcJwtHelper::publicJwkKeyArray();
unset($keyArray['alg']);
$this->mockHttpClient([
$this->getAutoDiscoveryResponse(),
new Response(200, [
'Content-Type' => 'application/json',
'Cache-Control' => 'no-cache, no-store',
'Pragma' => 'no-cache',
], json_encode([
'keys' => [
$keyArray,
],
])),
]);
$this->assertFalse(auth()->check());
$this->runLogin();
$this->assertTrue(auth()->check());
}
protected function withAutodiscovery() protected function withAutodiscovery()
{ {
config()->set([ config()->set([