Skip to content
This repository was archived by the owner on Jan 6, 2022. It is now read-only.

Set Algorithm for JWK (RSA) if not set #11

Merged
merged 1 commit into from
Jun 18, 2019
Merged

Set Algorithm for JWK (RSA) if not set #11

merged 1 commit into from
Jun 18, 2019

Conversation

MichelZ
Copy link
Contributor

@MichelZ MichelZ commented Apr 23, 2019

Algorithm is not mandatory for the key material, so we set it to the same as the JWT

@MichelZ
Set Algorithm for JWK (RSA) if not set
58c1d26 
Algorithm is not mandatory for the key material, so we set it to the same as the JWT
@MichelZ
Copy link
Contributor Author

MichelZ commented Apr 23, 2019

To elaborate on this, I have tried to use Azure AD as an OpenID Connect IdP for ES/Kibana, and I get the following error message:

[2019-04-22T08:15:25,582][DEBUG][c.a.o.s.a.BackendRegistry] [mize-es-master-1] 'org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET' extracting credentials from jwt-key-by-oidc http authenticator
org.apache.cxf.rs.security.jose.jws.JwsException: ALGORITHM_NOT_SET
        at org.apache.cxf.rs.security.jose.jws.JwsUtils.getPublicKeySignatureVerifier(JwsUtils.java:177) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureVerifier(JwsUtils.java:146) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]
        at org.apache.cxf.rs.security.jose.jws.JwsUtils.getSignatureVerifier(JwsUtils.java:138) ~[cxf-rt-rs-security-jose-3.2.2.jar:3.2.2]

More details here: https://discuss.opendistrocommunity.dev/t/oidc-with-azure-ad-algorithm-not-set/470

I have found out that Microsoft does not use the "ALG" header on the Key Material (JWK), you can see this here: https://login.microsoftonline.com/common/discovery/keys

This makes the verify code trip, as it is expecting an ALG header.
The ALG header is completely optional, so the code should support this.

I probably haven't done it the "right" way though, so please revise as you see fit, but the code should definitely support this, and would allow to use Microsoft's Azure Active Directory as a login provider.

@MichelZ
Copy link
Contributor Author

MichelZ commented Apr 23, 2019
edited
Loading

@floragunncom you obviously have the same issue. Dunno if Azure AD hasn't been requested much yet...

@ctt828 ctt828 mentioned this pull request Apr 25, 2019
Closed
@chrisferry
Copy link

Can we get this merged in please?

@lukibahr
Copy link

+1

@MichelZ
Copy link
Contributor Author

MichelZ commented May 27, 2019

@NihalHarish @hardik-k-shah @prashar

@alolita
Copy link
Contributor

alolita commented May 27, 2019

@chrisferry assigned to @hardik-k-shah to review.

@prashar
Copy link

prashar commented May 28, 2019
edited
Loading

@MichelZ - Can you write some unit tests for this ?

@chrisferry
Copy link

@MichelZ - Can you write some unit tests for this ?

Do we really need A unit test for this? Seems wasteful. Can't we get this approved and merged in?

@Sharma-Rajat
Copy link

+1

@shivangdoshi07 shivangdoshi07 merged commit b913674 into opendistro-for-elasticsearch:master Jun 18, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@shivangdoshi07 shivangdoshi07 shivangdoshi07 approved these changes

@hardik-k-shah hardik-k-shah hardik-k-shah approved these changes

@prashar prashar Awaiting requested review from prashar

@NihalHarish NihalHarish Awaiting requested review from NihalHarish

Assignees

@hardik-k-shah hardik-k-shah

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@MichelZ @chrisferry @lukibahr @alolita @prashar @Sharma-Rajat @shivangdoshi07 @hardik-k-shah