Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate token has key algorithm fixed to RSA-SHA256 #303

Open
FelipeEmerim opened this issue Nov 12, 2021 · 1 comment
Open

Validate token has key algorithm fixed to RSA-SHA256 #303

FelipeEmerim opened this issue Nov 12, 2021 · 1 comment
Labels
kind/bug status/triage

Comments

@FelipeEmerim
Copy link

FelipeEmerim commented Nov 12, 2021
edited
Loading

Describe the bug

The grant manager class has the signature algorithm fixed at RSA-SHA256. You can see that here.

Keycloak allows us to change that algorithm. If I do that, the validate function will reject every token, even if it is valid, because it will attempt to use the wrong algorithm.

Version

keycloak: 15.0.2
keycloak-connect: 15.0.2

Expected behavior

Keycloak correctly validates tokens signed with different algorithms

Actual behavior

Keycloak rejects all tokens except those signed with RSA-SHA256

How to Reproduce?

Change access token signature algorithm to anything other than RS256, generate a token and attempt to validate using this lib.

Anything else?

A good fix would be to allow the algorithm to be configurable, and have RSA-SHA256 as the default value to avoid a breaking change.
@FelipeEmerim
Copy link
Author

Merging this PR does the proposed fix and closes this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug status/triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@FelipeEmerim