Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: client invalid signature when OIDC server is restarted #480

Closed
1 of 2 tasks
CosbyBs86 opened this issue Nov 10, 2023 · 2 comments
Closed
1 of 2 tasks

[Bug]: client invalid signature when OIDC server is restarted #480

CosbyBs86 opened this issue Nov 10, 2023 · 2 comments
Labels
bug Something isn't working

Comments

@CosbyBs86
Copy link

Preflight Checklist

  • I could not find a solution in the documentation, the existing issues or discussions
  • I have joined the ZITADEL chat

Version

1.13.2

Describe the problem caused by this bug

Attempting to validate the abotained authentication token against the OIDC server after it was restarted, resulted in the following error:
failed to exchange token: invalid signature (signature verification failed: square/go-jose: error in cryptographic primitive)

The issue looks to be in the client\rp\jwks.go file, on VerifySignature method where, if the verifySignatureCached return the "invalid signature (signature verification failed: square/go-jose: error in cryptographic primitive)" error and due to this returned error the verifySignatureRemote which refresh the signature with the server is not called

Now:
func (r *remoteKeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) ([]byte, error) { keyID, alg := oidc.GetKeyIDAndAlg(jws) if alg == "" { alg = r.defaultAlg } payload, err := r.verifySignatureCached(jws, keyID, alg) if payload != nil { return payload, nil } if err != nil { return nil, err } return r.verifySignatureRemote(ctx, jws, keyID, alg) }

To reproduce

  • From your client perform the authentication against the server.
  • When the token has been obtained from the server (and stored in a cookie) restart the oidc server
  • When the server has been restarted try to validate the token against the server. Obviously it will fail asking again for the authentication.
  • When the authentication is performed the error is shown during the callback check of the received token

Screenshots

No response

Expected behavior

  • From your client perform the authentication against the server.
  • When the token has been obtained from the server (and stored in a cookie) restart the oidc server
  • When the server has been restarted try to validate the token against the server. Obviously it will fail asking again for the authentication.
  • The authentication is performed correctly

Additional Context

No response
@CosbyBs86 CosbyBs86 added the bug Something isn't working label Nov 10, 2023
@muhlemmer
Copy link
Collaborator

muhlemmer commented Nov 10, 2023
edited
Loading

Thanks for reporting an issue. Before we can take your report into account:

  1. Please make sure you use proper markdown formatting for code blocks.
  2. If you meant to refer to code inside the repository, use permanent links
  3. Please use a recent version of OIDC. 1.13.2 is no longer supported. v3 is supported by zitadel. v2 is based on community support only.

Regarding the contents:

  • What do you mean by "server"? Are you using an implementation of our op.Provider with storage, are you using zitadel, another product? How would I be able to reproduce those steps?

@CosbyBs86
Copy link
Author

Hello @muhlemmer
thank you for your feedback. I updated to the latest version and i'm not facing the issue anylonger. Please close this ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@muhlemmer @CosbyBs86