Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-138756

Missing algorithm negotiation resulting in signed JWT rejected when using OpenID Connect

    Description

    This is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].

    Liferay 7.3 does not support HS256, only RS256. However, the OIDC module does not handle the list of supported algorithms properly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.

    This is the file with the problem:
    portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectMetadataFactoryImpl.java

    Line 232:

    if (ListUtil.isNotEmpty(jwsAlgorithms)) {
    _oidcClientMetadata.setIDTokenJWSAlg(jwsAlgorithms.get(1));
    }

    Reproduction steps:

    1. In a browser, request the Auth0 Discovery Endpoint URL: https://dev-ticv2ops.us.auth0.com/.well-known/openid-configuration
    2. Assert that the JSON contents that is returned includes "id_token_signing_alg_values_supported":["HS256","RS256"]
    3. Create an Auth0 "application" and make note of its Client ID and Client Secret.
    4. Assert that the Auth0 application is using the RS256 signing algorithm (You may find this under its "Advanced" > "OAuth" section)
    5. Enable OIDC on portal
    6. Add a new OIDC Provider with the aforementioned Client ID, Client Secret and Discovery Endpoint URL
    7. Initiate a OIDC SSO using that provider

     Expected result: The SSO completes successfully
     Actual result: The SSO fails and the logs include a statement like "Signed JWT rejected"

      Attachments

        Issue Links

          Activity

            People

            Assignee:
            gabor.lovas Gábor Lovas
            Reporter:
            stian.sigvartsen Stian Sigvartsen
            Participants of an Issue:
            Recent user:
            Gábor Lovas
            Engineering Assignee:
            Arthur Chen
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:
              Days since last comment:
              1 day ago

                Packages

                Version Package
                Master