Affects Version/s: 7.0.X, 7.1.X, 7.2.X, 7.3.X, Master
Component/s: Application Security > OpenID Connect
Branch Version/s:7.3.x, 7.2.x, 7.1.x
Backported to Branch:Committed
Sprint:AppSec Iteration 70, AppSec Iteration 71
Git Pull Request:
QA Test Name:
QA Test Score:49
This is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].
Liferay 7.3 does not support HS256, only RS256. However, the OIDC module does not handle the list of supported algorithms properly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.
This is the file with the problem:
- In a browser, request the Auth0 Discovery Endpoint URL: https://dev-ticv2ops.us.auth0.com/.well-known/openid-configuration
- Assert that the JSON contents that is returned includes "id_token_signing_alg_values_supported":["HS256","RS256"]
- Create an Auth0 "application" and make note of its Client ID and Client Secret.
- Assert that the Auth0 application is using the RS256 signing algorithm (You may find this under its "Advanced" > "OAuth" section)
- Enable OIDC on portal
- Add a new OIDC Provider with the aforementioned Client ID, Client Secret and Discovery Endpoint URL
- Initiate a OIDC SSO using that provider
Expected result: The SSO completes successfully
Actual result: The SSO fails and the logs include a statement like "Signed JWT rejected"