Compressing logic for verification #28
Conversation
|
Google Worked! SalesForce failed - Fatal error: Uncaught exception 'OpenIDConnectClientException' with message 'Unable to verify signature' in /var/www/openid-connect-php.savagesoft.com/web/OpenIDConnectClient.php5:207 Stack trace: #0 /var/www/openid-connect-php.savagesoft.com/web/index.php(46): OpenIDConnectClient->authenticate() #1 {main} thrown in /var/www/openid-connect-php.savagesoft.com/web/OpenIDConnectClient.php5 on line 207 Looks like it is somewhere down in verifyRSAJWTsignature(), sorry that is the best I can do at this time. |
| @@ -403,28 +403,14 @@ class OpenIDConnectClient | |||
| */ | |||
| private function get_key_for_header($keys, $header) { | |||
| foreach ($keys as $key) { | |||
| if ($key->alg == $header->alg && $key->kid == $header->kid) { | |||
| if ((isset($header->kid) && $key->alg == $header->alg && $key->kid == $header->kid) | |||
| || ($key->kty == 'RSA')) { | |||
| return $key; | |||
| } | |||
| } | |||
| throw new OpenIDConnectClientException('Unable to find a key for (algorithm, kid):' . $header->alg . ', ' . $header->kid . ')'); | |||
There was a problem hiding this comment.
This patch works great for me, but it needs one final enhancement. Please change line 411 from:
throw new OpenIDConnectClientException('Unable to find a key for (algorithm, kid):' . $header->alg . ', ' . $header->kid . ')');
to
if (isset($header->kid)) {
throw new OpenIDConnectClientException('Unable to find a key for (algorithm, kid):' . $header->alg . ', ' . $header->kid . ')');
} else {
throw new OpenIDConnectClientException('Unable to find a key for RSA');
}
Thanks!
|
I am intermittently getting the same exception described by @zmon above, but I'm using Google. I've traced through the code, and it is coming from the test at line 444 ($rsa->verify($payload, $signature)). I have repeated the authentication attempt with the same credentials over and over (repeatedly clicking my login link); sometimes the test returns true, and sometimes it returns false. When it returns false, the exception shown by @zmon above is thrown. What would cause the signature verification to fail intermittently for the same credentials? |
|
Hi - I can add another provider to the list. I'm authenticating on MIT's OpenID provider, which is running MITREid Connect: https://github.com/mitreid-connect/ I am having the same difficulty as @cicalese - the JWT signature doesn't verify. And of course, the JWK JSON is a little different; you can find it at https://oidc.mit.edu/jwk . |
|
@cicalese I think there are two bugs interacting here. The first bug is in key selection (the logic that's the subject of this pull request). When I try to authenticate with Google, it fails initially because Google has two public keys listed; their JWK JSON is structured such that ($key->kty == $alg) always returns TRUE, which means the first key is always used even if the response was signed with the second key. I fiddled with the logic to make it pick the right key, but even when it's using the right key $rsa->verify() doesn't return TRUE. As I mentioned in #35, I can verify the signature with the online tool at http://jwt.io, so something is working; but I'm not enough of a crypto nerd to push any further. |
|
I just tried the jumbojett-patch-1 branch, and I'm still getting the error: Uncaught exception 'OpenIDConnectClientException' with message 'Unable to verify signature' |
Compatibility with IdentityServer3
@cicalese
@alexedelsburg
@zmon
I compressed some of the logic from your individual pull requests that were submitted. I know several of you are working with various OIDC providers. Would you be kind enough to verify this patch on your provider?