Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update OIDC id_token_signing_alg_values_supported for wider algo support #111

Merged
merged 3 commits into from
Sep 16, 2024
Merged

Update OIDC id_token_signing_alg_values_supported for wider algo support #111

merged 3 commits into from
Sep 16, 2024

Conversation

jinnatar
Copy link
Contributor

@jinnatar jinnatar commented Sep 9, 2024
edited
Loading

Previously the message verification required RS256 with no other checks
on algo. While technically RS256 MUST be supported, some implementations
have abandoned it's use as insecure and instead require for example
ES256 as a minimum baseline. Fixes #110

This change slightly relaxes the check in a future compatible way while
still making sure an actual alg is specified instead of none.

Logic test, True triggers validation failure.

>>> bad = ["none"]
>>> good = ["ES256"]
>>> dodgy = ["none", "RS256"]
>>> empty = []
>>> not any(i.lower() != "none" for i in empty)
True
>>> not any(i.lower() != "none" for i in bad)
True
>>> not any(i.lower() != "none" for i in dodgy)
False
>>> not any(i.lower() != "none" for i in good)
False

@jinnatar jinnatar marked this pull request as draft September 9, 2024 20:03
@jinnatar
Update OIDC id_token_signing_alg_values_supported for wider algo support
1897cc3 
Previously the message verification required RS256 with no other checks
on algo. While technically RS256 MUST be supported, some implementations
have abandoned it's use as insecure and instead require for example
ES256 as a minimum baseline.

This change slightly relaxes the check in a future compatible way while
still making sure an actual alg is specified instead of `none`.

```python
>>> bad = ["none"]
>>> good = ["ES256"]
>>> dodgy = ["none", "RS256"]
>>> empty = []
>>> any(i.lower() != "none" for i in dodgy)
True
>>> any(i.lower() != "none" for i in empty)
False
>>> any(i.lower() != "none" for i in good)
True
>>> any(i.lower() != "none" for i in bad)
False
```
@jinnatar jinnatar marked this pull request as ready for review September 9, 2024 20:52
@rohe
Copy link
Contributor

rohe commented Sep 15, 2024

Any reason for keeping this as a draft ?

@jinnatar
Copy link
Contributor Author

Any reason for keeping this as a draft ?

Should be ready for review, was a draft previously but it's complete now.

@rohe rohe merged commit 074ea67 into IdentityPython:main Sep 16, 2024
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rohe rohe rohe approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

id_token_signing_alg_values_supported hard-coded to RS256
2 participants
@jinnatar @rohe