Fixed OIDC JWT key parsing in microsoft environments

Made existence of 'alg' optional when JWK array set so we instead infer it as RSA256 if not existing. Fixes #3206
2022-01-28 14:00:55 +00:00 · 2022-01-28 14:00:55 +00:00 · 73eac83afe
commit 73eac83afe
parent c11f795c1d
3 changed files with 32 additions and 3 deletions
--- a/app/Auth/Access/Oidc/OidcJwtSigningKey.php
+++ b/app/Auth/Access/Oidc/OidcJwtSigningKey.php
@ -60,8 +60,11 @@ class OidcJwtSigningKey
     */
    protected function loadFromJwkArray(array $jwk)
    {
-        if ($jwk['alg'] !== 'RS256') {
-            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$jwk['alg']}");
+        // 'alg' is optional for a JWK, but we will still attempt to validate if
+        // it exists otherwise presume it will be compatible.
+        $alg = $jwk['alg'] ?? null;
+        if ($jwk['kty'] !== 'RSA' || !(is_null($alg) || $alg === 'RS256')) {
+            throw new OidcInvalidKeyException("Only RS256 keys are currently supported. Found key using {$alg}");
        }

        if (empty($jwk['use'])) {
--- a/app/Auth/Access/Oidc/OidcProviderSettings.php
+++ b/app/Auth/Access/Oidc/OidcProviderSettings.php
@ -164,7 +164,8 @@ class OidcProviderSettings
    protected function filterKeys(array $keys): array
    {
        return array_filter($keys, function (array $key) {
-            return $key['kty'] === 'RSA' && $key['use'] === 'sig' && $key['alg'] === 'RS256';
+            $alg = $key['alg'] ?? null;
+            return $key['kty'] === 'RSA' && $key['use'] === 'sig' && (is_null($alg) || $alg === 'RS256');
        });
    }

--- a/tests/Auth/OidcTest.php
+++ b/tests/Auth/OidcTest.php
@ -318,6 +318,31 @@ class OidcTest extends TestCase
        $this->assertCount(4, $transactions);
    }

+    public function test_auth_login_with_autodiscovery_with_keys_that_do_not_have_alg_property()
+    {
+        $this->withAutodiscovery();
+
+        $keyArray = OidcJwtHelper::publicJwkKeyArray();
+        unset($keyArray['alg']);
+
+        $this->mockHttpClient([
+            $this->getAutoDiscoveryResponse(),
+            new Response(200, [
+                'Content-Type'  => 'application/json',
+                'Cache-Control' => 'no-cache, no-store',
+                'Pragma'        => 'no-cache',
+            ], json_encode([
+                'keys' => [
+                    $keyArray,
+                ],
+            ])),
+        ]);
+
+        $this->assertFalse(auth()->check());
+        $this->runLogin();
+        $this->assertTrue(auth()->check());
+    }
+
    protected function withAutodiscovery()
    {
        config()->set([