oidc: verify claims before signatures#97
Merged
ericchiang merged 1 commit intoAug 18, 2016
Conversation
Checking claims is a much lighter weight operation than verifying signatures and re-syncing keys. While we still ensure that all JWTs are correctly signed and valid, throw out tokens we know are invalid based on claims before attempting to validate the signature.
Collaborator
Author
Contributor
|
This seems reasonable to me. |
ericchiang
added a commit
to ericchiang/kubernetes
that referenced
this pull request
Aug 26, 2016
This change updates the github.com/coreos/go-oidc package. Notable changes: - Throw out JWTs with invalid claims early (coreos/go-oidc#97, brougt up in kubernetes#30457) - Remove the capnslog dependency (coreos/go-oidc#95) - Support for Azure AD oddities (coreos/go-oidc#87)
k8s-github-robot
pushed a commit
to kubernetes/kubernetes
that referenced
this pull request
Sep 12, 2016
Automatic merge from submit-queue vendor: update github.com/coreos/go-oidc client package This change updates the github.com/coreos/go-oidc package to it's latest commit (since we don't version that package). Notable changes: - Throw out JWTs with invalid claims early (coreos/go-oidc#97, brougt up in #30457) - Remove the capnslog dependency (coreos/go-oidc#95) - Support for Azure AD oddities (coreos/go-oidc#87) cc @kubernetes/sig-auth
coro
added a commit
to signal-ai/louketo-proxy
that referenced
this pull request
Feb 17, 2025
Louketo has a bug revolving around this PR: coreos/go-oidc#97 essentially, the JWT verification function first checks the claims of the JWT are valid (including expiry times), then checks the signature of the token is valid. Louketo checks the response of this and returns a custom error if the token has expired to allow the auth middleware to use a refresh token to regenerate an access token. Unfortunately, the access token it generates uses the user context for the incoming request. This user context is parsed from the access token JWT but is not verified, meaning it is blindly trusted. Louketo will then regenerate a correct accessToken from Keycloak, which will be valid and have the correct claim/scopes as generated in Keycloak. I think the issue is that for the rest of the request, it has this new token in the context but still has the leftover rubbish user context parsed from the fake user we injected earlier.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Checking claims is a much lighter weight operation than verifying
signatures and re-syncing keys. While we still ensure that all JWTs
are correctly signed and valid, throw out tokens we know are invalid
based on claims before attempting to validate the signature.
Closes #93