Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Authentication using OpenID Connect assumes alg element under the OpenID Keys URL to be required. It is optional per specs. #22696

Closed
2 of 3 tasks
jchongtibco opened this issue May 10, 2024 · 3 comments
Closed
2 of 3 tasks

[Bug] Authentication using OpenID Connect assumes alg element under the OpenID Keys URL to be required. It is optional per specs. #22696

jchongtibco opened this issue May 10, 2024 · 3 comments
Labels
type/bug The PR fixed a bug or issue reported a bug

Comments

@jchongtibco
Copy link

Search before asking

  • I searched in the issues and found nothing similar.

Read release policy

  • I understand that unsupported versions don't get bug fixes. I will attempt to reproduce the issue on a supported version of Pulsar client and Pulsar broker.

Version

Pulsar 3.0.0

Minimal reproduce step

This is when attempting to use Pulsar Authentication using OpenID Connect with Microsoft EntraID.

  1. Create AppRegistraiton in Microsoft EntraID
  2. Use information to authenticate.

Note: You will notice that the JWKS URL provided does not have alg in the key level
( https://login.microsoftonline.com/cde6fa59-abb3-4971-be01-2443c417cbda/discovery/v2.0/keys )

What did you expect to see?

I expect authentication to success.

What did you see instead?

I see this in the Pulsar logs. "Failed to authenticate HTTP request: JWK's alg [null] does not match JWT's alg [RS256]"

Anything else?

The issue seems to be coming from here ...

org.apache.pulsar.broker.authentication.oidc.AuthenticationProviderOpenID
line 316: if (!jwt.getAlgorithm().equals(jwk.getAlgorithm())) {

It was getting the alg from the keyset which does not exists as provided by Microsoft Entra (and defined as optional as per OIDC spec)

Are you willing to submit a PR?

  • I'm willing to submit a PR!
@jchongtibco jchongtibco added the type/bug The PR fixed a bug or issue reported a bug label May 10, 2024
@jchongtibco
Copy link
Author

Here is the specification.

https://www.rfc-editor.org/rfc/rfc7517.txt#:~:text=4.4.%20%20%22alg%22%20(Algorithm)%20Parameter%0A%0A%20%20%20The,of%20this%20member%20is%20OPTIONAL

On another hand, that field is required on the “.well-known/openid-configuration” specification
(The code should probably pick it up from here instead)

[Specification] (https://openid.net/specs/openid-connect-discovery-1_0.html#:~:text=id_token_signing_alg_values_supported,supported%20but%20MUST)

Further information can be validated at
Microsoft Open ID endpoint: https://login.microsoftonline.com/common/v2.0/

             Microsoft JWT Keys endpoint: https://login.microsoftonline.com/common/discovery/v2.0/keys

@Technoboy-
Copy link
Contributor

We have fixed this issue by #22421

@lhotari
Copy link
Member

lhotari commented May 13, 2024

Duplicate of #22419 . The fix #22421 will be part of 3.0.5 and 3.2.3 releases.

@lhotari lhotari closed this as completed May 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type/bug The PR fixed a bug or issue reported a bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lhotari @Technoboy- @jchongtibco