Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token claims are not verified #30

Open
lancerushing opened this issue Sep 21, 2022 · 2 comments
Open

Token claims are not verified #30

lancerushing opened this issue Sep 21, 2022 · 2 comments

Comments

@lancerushing
Copy link

lancerushing commented Sep 21, 2022

Security bug(??)

The call to JWT.decode()

JWT.decode(token,
nil,
false,
verify_iss: true,
verify_aud: true,
iss: authorization_server_path,
aud: authorization_server_audience,
verify_sub: true,
verify_expiration: true,
verify_not_before: true,
verify_iat: true,
verify_jti: false,
leeway: options[:jwt_leeway]
).first
requires true (verify = true) to allow claim verification.

The verify_* options do not do anything unless verify = true (line 99).

see: https://github.com/jwt/ruby-jwt/blob/0ae9af6fd5f5085588a65accb2a23587c52ac637/lib/jwt/decode.rb#L26-L32

@lancerushing
Copy link
Author

Something like this is needed: (not tested)

      JWT.decode(token,
                 nil,
                 true,
                 algorithm: 'RS256',
                 jwks: JSON.load(URI.open(JSON.load(URI.open(authorization_server_path) + "/.well-known/openid-configuration"))['jwks_uri'])),
                 verify_iss:        true,
                 iss:               authorization_server_path,
                 verify_aud:        true,
                 aud:               authorization_server_audience,
                 verify_sub:        true,
                 verify_expiration: true,
                 verify_not_before: true,
                 verify_iat:        true,
                 verify_jti:        false,
                 leeway:            60
      ).first

@okriuchykhin
Copy link

okriuchykhin commented Sep 30, 2022

This strategy uses a full auth code flow so an ID token is fetched by the app directly from Okta token endpoint in exchange to authorization code.
Therefore I assume the fact that token comes from predefined URL through HTTPS protocol is sufficient for token verification.

UPD:
My original comment was more about signature verification.

As for separate claims verification, indeed from version 2 of ruby-jwt gem behavior of a verify option has changed.
If it is set to false, than verification is completely skipped, even if separate claim verification options are set to true.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants