Uploaded image for project: 'PUBLIC - Liferay Portal Community Edition'
  1. PUBLIC - Liferay Portal Community Edition
  2. LPS-138756

Missing algorithm negotiation resulting in signed JWT rejected when using OpenID Connect

    Details

      Description

      This is a bug in Liferay's source that is causing it to not work with auth0. Auth0 supports two JWT algorithms, HS256 and RS256. They are returned in that order, as the supporting algorithms [ HS256, RS256 ].

      Liferay 7.3 does not support HS256, only RS256. However, the OIDC module does not handle the list of supported algorithms properly. The code takes the first one in the list, HS256 in this case. What it should do is loop through the list looking for a supported algorithm and then select it.

      This is the file with the problem:
      portal-security-sso/portal-security-sso-openid-connect-impl/src/main/java/com/liferay/portal/security/sso/openid/connect/internal/OpenIdConnectMetadataFactoryImpl.java

      Line 232:

      if (ListUtil.isNotEmpty(jwsAlgorithms)) {
      _oidcClientMetadata.setIDTokenJWSAlg(jwsAlgorithms.get(1));
      }

      Reproduction steps:

      1. In a browser, request the Auth0 Discovery Endpoint URL: https://dev-ticv2ops.us.auth0.com/.well-known/openid-configuration
      2. Assert that the JSON contents that is returned includes "id_token_signing_alg_values_supported":["HS256","RS256"]
      3. Create an Auth0 "application" and make note of its Client ID and Client Secret.
      4. Assert that the Auth0 application is using the RS256 signing algorithm (You may find this under its "Advanced" > "OAuth" section)
      5. Enable OIDC on portal
      6. Add a new OIDC Provider with the aforementioned Client ID, Client Secret and Discovery Endpoint URL
      7. Initiate a OIDC SSO using that provider

       Expected result: The SSO completes successfully
       Actual result: The SSO fails and the logs include a statement like "Signed JWT rejected"

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              gabor.lovas Gábor Lovas
              Reporter:
              stian.sigvartsen Stian Sigvartsen
              Participants of an Issue:
              Recent user:
              Enterprise Release HU
              Engineering Assignee:
              Arthur Chen
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Days since last comment:
                43 weeks, 2 days ago

                  Packages

                  Version Package
                  7.1.X
                  7.2.10 DXP FP17
                  7.2.10.6 DXP SP6
                  7.2.X
                  7.3.X
                  7.4.13 DXP GA1
                  7.4.3.12 CE GA12
                  7.4.13 DXP U8
                  7.4.3.13 CE GA13
                  7.4.3.22 CE GA22
                  Master