Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: function to locally validate a JWT #330

Merged
merged 1 commit into from
Jan 18, 2024
Merged

feat: function to locally validate a JWT #330

merged 1 commit into from
Jan 18, 2024

Conversation

paulswartz
Copy link
Collaborator

Many access tokens are JWTs, which clients can validate without needing to use the token_introspection endpoint. This allows multiple clients using the same issuer to use access tokens as a means of validation between them.

@maennchen
Copy link
Member

The implementation loads all supported signing / encryption algorithms. That will probably even include none if that is enabled in jose.

    {jws, {alg, SigningAlgs}} = jose_supports(jws),
    {jwe, {alg, EncryptionAlgs}, {enc, EncryptionEncs}, _} = jose_supports(jwe),

I believe this is not a safe assumption to make.

My idea so far was to allow verifying access tokens as id tokens. You can see this here: Oidcc.Plug.ValidateJwtToken

I see three routes to handle this:

  • Allow to verify with the same rules as id token (as it is right now; possibly expand the docs to explain this use case)
  • Provide a dedicated function but with a lot more arguments for signing / encryption parameters (no magic, user has to think about it and provide valid options)
  • Do not offer access token verification at all since it is not part of the standard (i think...?). Users have to use jose & possibly the openid configuration metadata directly.

@paulswartz paulswartz marked this pull request as draft January 10, 2024 13:49
@paulswartz
Copy link
Collaborator Author

For this particular case, the access token will not validate as an ID token at a different client because the "azp" claim only matches the initial client. However, the other clients are listed in "aud". The Zitadel CT test doesn't really cover this unfortunately, as it doesn't return an "azp" claim.

What do you think about using the JOSE values as defaults (possibly even filtering out "none") but allow them to be overridden in Opts?

@maennchen
Copy link
Member

maennchen commented Jan 10, 2024
edited

The whole topic with azp possibly deserves a solution in general. The standard is very clear on it, but just doesn’t reflect what I saw so far in reality.

I don’t think just allowing everything (possibly besides none) is a safe default.

@paulswartz paulswartz marked this pull request as ready for review January 18, 2024 19:57
maennchen
maennchen reviewed Jan 18, 2024
View reviewed changes
lib/oidcc/token.ex Outdated Show resolved Hide resolved
src/oidcc_token.erl Show resolved Hide resolved
@paulswartz
feat: function to locally validate a JWT
7a8ead6 
Many access tokens are JWTs, which clients can validate without needing
to use the `token_introspection` endpoint. This allows multiple clients
using the same issuer to use access tokens as a means of validation
between them.
@maennchen maennchen merged commit 8762e20 into erlef:main Jan 18, 2024
25 checks passed
@maennchen maennchen added this to the v3.2.0 milestone Jan 18, 2024
@maennchen maennchen self-assigned this Jan 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maennchen maennchen maennchen approved these changes

Assignees

@maennchen maennchen

Labels
enhancement
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@paulswartz @maennchen