Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug In readTokenDecryptionKey #33021

Closed
jainhitesh9998 opened this issue Apr 30, 2023 · 4 comments
Closed

Bug In readTokenDecryptionKey #33021

jainhitesh9998 opened this issue Apr 30, 2023 · 4 comments
Labels
area/oidc kind/bug Something isn't working

Comments

@jainhitesh9998
Copy link
Contributor

jainhitesh9998 commented Apr 30, 2023
edited
Loading

Describe the bug

Module - quarkus-oidc

quarkus/extensions/oidc/runtime/src/main/java/io/quarkus/oidc/runtime/OidcRecorder.java

Line 327 in 9380d09

private static Key readTokenDecryptionKey(OidcTenantConfig oidcConfig) {

this condition resolved to false even when i pass a valid jwks private key
keys.get(0).getAlgorithm() == KeyEncryptionAlgorithm.RSA_OAEP.getAlgorithm(), resulting in application startup failure on configuration of this QUARKUS_OIDC_TOKEN_DECRYPTION_KEY_LOCATION parameter

I've changed it to in my local builds and the resolution happens properly and application starts up
properlykeys.get(0).getAlgorithm().equals(KeyEncryptionAlgorithm.RSA_OAEP.getAlgorithm())

Expected behavior

The resolution should be true and if jwks is passed and the private key should be set

Actual behavior

since this check fails, the flow moves to decoding the keyContent as pem file and it gives error in parsing base64 string

if (key == null) {
                    key = KeyUtils.decodeDecryptionPrivateKey(keyContent);
                }

How to Reproduce?

I'm trying to configure and use jwe with quarkus-oidc

configure QUARKUS_OIDC_TOKEN_DECRYPTION_KEY_LOCATION with a location of a private jwks key along with other oidc properties.

I can provide the complete setup i'm trying to validate if necessary.

This looks like a trivial bug, and i can send a PR for this.

Output of uname -a or ver

21.6.0 Darwin Kernel Version 21.6.0: Mon Dec 19 20:43:09 PST 2022; root:xnu-8020.240.18~2/RELEASE_ARM64_T6000 arm64classes/

Output of java -version

openjdk 17.0.4.1 2022-08-12 LTS

GraalVM version (if different from Java)

No response

Quarkus version or git rev

2.16

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.8.5

Additional information

No response
@jainhitesh9998 jainhitesh9998 added the kind/bug Something isn't working label Apr 30, 2023
@sberyozkin
Copy link
Member

sberyozkin commented Apr 30, 2023
edited
Loading

@jainhitesh9998 Thanks, the test uses the pem file as far as I recall, would you like to open a simply PR to fix it ?

@jainhitesh9998 jainhitesh9998 mentioned this issue Apr 30, 2023
Merged
@jainhitesh9998
Copy link
Contributor Author

The private jwk Key is configured in this tests:
quarkus.oidc.code-flow-encrypted-id-token-jwk.token.decryption-key-location=privateKey.jwk

https://github.com/quarkusio/quarkus/blob/main/test-framework/oidc-server/src/main/resources/privateKey.jwk this file doesn't contain 'alg' and 'use' field

fixing the properties and adding another PR to validate the changes

@jainhitesh9998
Copy link
Contributor Author

As of now i only see one enc type supported "RSA-OAEP"
RSA-OAEP-256 and a few other variants were missing, jwk with those specific enc types would also result in error due going to pem workflow, wouldn't it be better to throw an exception for unsupported type, there

@sberyozkin
Copy link
Member

Closed by #33023

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sberyozkin @jainhitesh9998