1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-30 07:32:39 +01:00

Fixed OIDC JWT key parsing in microsoft environments

Made existence of 'alg' optional when JWK array set so we instead infer
it as RSA256 if not existing.

Fixes #3206
This commit is contained in:
Dan Brown 2022-01-28 14:00:55 +00:00
parent c11f795c1d
commit 73eac83afe
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 32 additions and 3 deletions

View File

@ -60,8 +60,11 @@ class OidcJwtSigningKey
*/
protected function loadFromJwkArray(array $jwk)
{
if ($jwk['alg'] !== 'RS256') {
throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
// 'alg' is optional for a JWK, but we will still attempt to validate if
// it exists otherwise presume it will be compatible.
$alg = $jwk['alg'] ?? null;
if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
}
if (empty($jwk['use'])) {

View File

@ -164,7 +164,8 @@ class OidcProviderSettings
protected function filterKeys(array $keys): array
{
return array_filter($keys, function (array $key) {
return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256';
$alg = $key['alg'] ?? null;
return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) || $alg === 'RS256');
});
}

View File

@ -318,6 +318,31 @@ class OidcTest extends TestCase
$this->assertCount(4, $transactions);
}
public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property()
{
$this->withAutodiscovery();
$keyArray = OidcJwtHelper::publicJwkKeyArray();
unset($keyArray['alg']);
$this->mockHttpClient([
$this->getAutoDiscoveryResponse(),
new Response(200, [
'Content-Type' => 'application/json',
'Cache-Control' => 'no-cache, no-store',
'Pragma' => 'no-cache',
], json_encode([
'keys' => [
$keyArray,
],
])),
]);
$this->assertFalse(auth()->check());
$this->runLogin();
$this->assertTrue(auth()->check());
}
protected function withAutodiscovery()
{
config()->set([