Exception when calling /oidc/callback

[nfvs]

Using Microsoft's servers triggers this exception:

Traceback (most recent call last):
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/core/handlers/exception.py", line 41, in inner
    response = get_response(request)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/core/handlers/base.py", line 187, in _get_response
    response = self.process_exception_by_middleware(e, request)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/core/handlers/base.py", line 185, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/views/generic/base.py", line 68, in view
    return self.dispatch(request, *args, **kwargs)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/views/generic/base.py", line 88, in dispatch
    return handler(request, *args, **kwargs)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/mozilla_django_oidc/views.py", line 75, in get
    self.user = auth.authenticate(**kwargs)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/contrib/auth/__init__.py", line 70, in authenticate
    user = _authenticate_with_backend(backend, backend_path, request, credentials)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/django/contrib/auth/__init__.py", line 115, in _authenticate_with_backend
    return backend.authenticate(*args, **credentials)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/mozilla_django_oidc/auth.py", line 174, in authenticate
    if self.verify_token(id_token, nonce=nonce):
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/mozilla_django_oidc/auth.py", line 123, in verify_token
    smart_bytes(key),
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/mozilla_django_oidc/auth.py", line 95, in _verify_jws
    if not jws.verify(jwk):
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/josepy/jws.py", line 263, in verify
    return all(sig.verify(self.payload, key) for sig in self.signatures)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/josepy/jws.py", line 263, in <genexpr>
    return all(sig.verify(self.payload, key) for sig in self.signatures)
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/josepy/jws.py", line 198, in verify
    msg=self._msg(self.protected, payload))
  File "/Users/nsantos/.virtualenvs/ngn-console/lib/python3.6/site-packages/josepy/jwa.py", line 123, in verify
    verifier = key.verifier(sig, self.padding, self.hash)
AttributeError: 'bytes' object has no attribute 'verifier'

Running in python 3.6, using these versions:

django==1.11.8
mozilla-django-oidc==0.4.2
cryptography==2.1.4
PyOpenSSL==17.5.0

[nfvs]

After some debugging I see the module retrieving a RS256 JWT from Microsoft, but then trying to verify it with the provided client secret, which of course will fail:

https://github.com/mozilla/mozilla-django-oidc/blob/master/mozilla_django_oidc/auth.py#L123

Even without this check, it eventually fails when comparing the JWT's alg (RS256) with OIDC_RP_SIGN_ALGO, which is HS256 by default.

Maybe I'm massively misunderstanding things, but I was under the impression that the client secret was only used to request the JWT. Why is the code above trying to verify the retrieved JWT against that secret?

[johnpaulett]

I'm running into this exception as well using Auth0. Looks like #198 is the same issue.

[peterbe]

@gdestuynder Can you help out here. You helped me with this by changing something about the key in Auth0's config. I was getting a similar error, and you you changed something it started to work.

[johnpaulett]

I believe the exception is masking the fact that the Provider is returning an RS256 token, but mozilla-django-oidc, by default is looking for an HS256 token. I was able to get to work by either configuring my provider to return HS256 or configuring mozilla-django-oidc to use RS256 (that took a bit more work).

[peterbe]

Making the choice of 'HS256' vs. 'RS256' is subtly part of this: #179
That PR is about rearranging the existing so it's easier to override the algorithm choice in a subclass. Do you think that PR has legs?

[gdestuynder]

what johnpaulett said :)

[peterbe]

@nfvs You can change the algorithm by setting OIDC_RP_SIGN_ALGO. Changing that, does that solve your problem?

If that turns out to be true, the error is a horrible way to figure out what's wrong. Ideas to solve that?

[nfvs]

@peterbe after some debugging sessions I eventually reached that conclusion as well :-) However changing the algo merely triggered another problem so I ended up using something else. Feel free to close this if you think this is working properly.

[surfer190]

I fixed this by now providing a OIDC_RP_IDP_SIGN_KEY