Fixed OIDC JWT key parsing in microsoft environments

ssddanbrown · ssddanbrown · commit 73eac83afe58 · 2022-01-28T14:00:55.000Z
Made existence of 'alg' optional when JWK array set so we instead infer it as RSA256 if not existing. Fixes #3206
diff --git a/app/Auth/Access/Oidc/OidcJwtSigningKey.php b/app/Auth/Access/Oidc/OidcJwtSigningKey.php
@@ -60,8 +60,11 @@ protected function loadFromPath(string $path)
      */
     protected function loadFromJwkArray(array $jwk)
     {
-        if ($jwk['alg'] !== 'RS256') {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
+        // 'alg' is optional for a JWK, but we will still attempt to validate if
+        // it exists otherwise presume it will be compatible.
+        $alg = $jwk['alg'] ?? null;
+        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
+            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
         }
 
         if (empty($jwk['use'])) {
diff --git a/app/Auth/Access/Oidc/OidcProviderSettings.php b/app/Auth/Access/Oidc/OidcProviderSettings.php
@@ -164,7 +164,8 @@ protected function loadSettingsFromIssuerDiscovery(ClientInterface $httpClient):
     protected function filterKeys(array $keys): array
     {
         return array_filter($keys, function (array $key) {
-            return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256';
+            $alg = $key['alg'] ?? null;
+            return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) || $alg === 'RS256');
         });
     }
 
diff --git a/tests/Auth/OidcTest.php b/tests/Auth/OidcTest.php
@@ -318,6 +318,31 @@ public function test_autodiscovery_calls_are_cached()
         $this->assertCount(4, $transactions);
     }
 
+    public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property()
+    {
+        $this->withAutodiscovery();
+
+        $keyArray = OidcJwtHelper::publicJwkKeyArray();
+        unset($keyArray['alg']);
+
+        $this->mockHttpClient([
+            $this->getAutoDiscoveryResponse(),
+            new Response(200, [
+                'Content-Type'  => 'application/json',
+                'Cache-Control' => 'no-cache, no-store',
+                'Pragma'        => 'no-cache',
+            ], json_encode([
+                'keys' => [
+                    $keyArray,
+                ],
+            ])),
+        ]);
+
+        $this->assertFalse(auth()->check());
+        $this->runLogin();
+        $this->assertTrue(auth()->check());
+    }
+
     protected function withAutodiscovery()
     {
         config()->set([

Original file line number	Diff line number	Diff line change
`@@ -60,8 +60,11 @@ protected function loadFromPath(string $path)`
`60`	`60`	`*/`
`61`	`61`	`protected function loadFromJwkArray(array $jwk)`
`62`	`62`	`{`
`63`		`- if ($jwk['alg'] !== 'RS256') {`
`64`		`- throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");`
	`63`	`+ // 'alg' is optional for a JWK, but we will still attempt to validate if`
	`64`	`+ // it exists otherwise presume it will be compatible.`
	`65`	`+ $alg = $jwk['alg'] ?? null;`
	`66`	`+ if ($jwk['kty'] !== 'RSA' \|\| !(is_null($alg) \|\| $alg === 'RS256')) {`
	`67`	`+ throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");`
`65`	`68`	`}`
`66`	`69`
`67`	`70`	`if (empty($jwk['use'])) {`
Original file line number	Diff line number	Diff line change
`@@ -164,7 +164,8 @@ protected function loadSettingsFromIssuerDiscovery(ClientInterface $httpClient):`
`164`	`164`	`protected function filterKeys(array $keys): array`
`165`	`165`	`{`
`166`	`166`	`return array_filter($keys, function (array $key) {`
`167`		`- return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256';`
	`167`	`+ $alg = $key['alg'] ?? null;`
	`168`	`+ return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) \|\| $alg === 'RS256');`
`168`	`169`	`});`
`169`	`170`	`}`
`170`	`171`