Skip to content

Commit

Permalink
Update OIDC id_token_signing_alg_values_supported for wider algo support
Browse files Browse the repository at this point in the history
Previously the message verification required RS256 with no other checks
on algo. While technically RS256 MUST be supported, some implementations
have abandoned it's use as insecure and instead require for example
ES256 as a minimum baseline.

This change slightly relaxes the check in a future compatible way while
still making sure an actual alg is specified instead of `none`.

```python
>>> bad = ["none"]
>>> good = ["ES256"]
>>> dodgy = ["none", "RS256"]
>>> empty = []
>>> any(i.lower() != "none" for i in dodgy)
True
>>> any(i.lower() != "none" for i in empty)
False
>>> any(i.lower() != "none" for i in good)
True
>>> any(i.lower() != "none" for i in bad)
False
```
  • Loading branch information
jinnatar committed Sep 9, 2024
1 parent 0290fb0 commit 1897cc3
Showing 1 changed file with 8 additions and 2 deletions.
10 changes: 8 additions & 2 deletions src/idpyoidc/message/oidc/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -942,8 +942,14 @@ def verify(self, **kwargs):
"token_endpoint_auth_signing_alg_values_supported"
)

if "RS256" not in self["id_token_signing_alg_values_supported"]:
raise ValueError("RS256 missing from id_token_signing_alg_values_supported")
# Check that any alg that is not "none" is supported.
# While OpenID Connect Core 1.0 says RS256 MUST be supported,
# reality has moved on and more modern alg values may be required.
if not any(i.lower() != "none" for i in self["id_token_signing_alg_values_supported"]):
raise ValueError(
"Secure signing algorithm (for example RS256 or ES256) missing from id_token_signing_alg_values_supported: %s"
% self["id_token_signing_alg_values_supported"]
)

if not parts.query and not parts.fragment:
pass
Expand Down

0 comments on commit 1897cc3

Please sign in to comment.