Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

No kid header is set during the connector authentication with a authorization provider. #4794

Open
scandinave opened this issue Feb 5, 2025 · 1 comment
Open

No kid header is set during the connector authentication with a authorization provider. #4794

scandinave opened this issue Feb 5, 2025 · 1 comment
Labels
wontfix This will not be worked on

Comments

@scandinave
Copy link
Contributor

scandinave commented Feb 5, 2025
edited
Loading

Bug Report

Describe the Bug

No kid header is set into the sign JWT request during authentication of the connector.

Expected Behavior

Set the kid header, so the authorization provider can know which key has been used to sign the assertion token.

Observed Behavior

The kid is not set

Steps to Reproduce

Steps to reproduce the behavior:

  1. Make a call to the management API of a connector that is secured by an authorization provider. (Fetch the catalog for example)
  2. The connector authenticate to the authorization provider to get a valid token to be allowed to make a request to the target connector
  3. Intercept this request with tools like Wireshark
  4. The request does not contain the kid of the key used to sign the client assertion.

Context Information

Add any other context about the problem here.

  • Used version 0.11.0

Detailed Description

Some authorization provider (like Keycloak), will only pick the first key exposed by a JWKS endpoint if no kid header is available. This cause issues if we want to expose multiples keys on an endpoint for scenario like key rotation.

Possible Implementation

In the Oauth2ServiceExtension,

jwtDecoratorRegistry.register(OAUTH2_TOKEN_CONTEXT, Oauth2AssertionDecorator.Builder.newInstance()
                .audience(config.getProviderAudience())
                .clientId(config.getClientId())
                .clock(clock)
                .validity(config.getTokenExpiration())
                .kid(certificate.getSerialNumber().toString()) // Add this line to generate a keyid. 
                .build());

KeyId as serial number is the format used by nimbus-jose.
@github-actions github-actions bot added the triage all new issues awaiting classification label Feb 5, 2025
@paullatzelsperger
Copy link
Member

paullatzelsperger commented Feb 19, 2025
edited
Loading

This area of code, in particular the OAuth2ServiceExtension is deprecated and is scheduled for removal soon.
If your project uses OAuth2 as central identity provider, I recommend that you copy the extension into your own code base and maintain it there.

The EDC project will not invest in deprecated code.

@paullatzelsperger paullatzelsperger added wontfix This will not be worked on and removed triage all new issues awaiting classification labels Feb 19, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@scandinave @paullatzelsperger