[FIXED] How does OAuth 2.0 Server know which secret should use to parse jwt token during client authentication? (client_secret_jwt)

Issue

My task is to add support of client authentication using JWT in my Identity Provider (a.k.a client_secret_jwt) (https://datatracker.ietf.org/doc/html/rfc7523#section-2.2).

I've stumbled upon jwt parsing.

I see client authentication flow (client_secret_jwt) like this:

A client passes registration in IDP and get client_id and client_secret. Then it tries to authenticate its user and sends a request to "oauth2/token" endpoint with payload that contains two key-value pairs: client_assertion_type (it is a const) and client_assertion. client_assertion is a jwt token that contains information about the client. The client uses client_secret to generate the jwt token.

So the client sends the request, the idp server must handle that one, it retrieves jwt token from the request and now it must parse using secret, but which client_secret it should use? At this moment it does not know anything about the client (cause the request doen't contain the client_id), so it could not go to its database and get a specific secret for this client?

Could you give some information about the next questions:

1. The spec really doesn't contain info about the issue, does it?
2. Does it mean I should solve this issue on my own if Oauth spec says nothing about it?
3. If I have to solve this issue on my own, what do you think about the solution that is to iterate over all clients secrets of idp looking for the suitable secret?

Thank you in advance.

Solution

The answer to your question is in https://datatracker.ietf.org/doc/html/rfc7523#section-3 of the spec you referred to: when a client is using a JWT for client authentication, it must provide its client_id in the sub claim of the JWT assertion.

B. For client authentication, the subject MUST be the "client_id" of the OAuth client.

Answered By - Hans Z.

Answer Checked By - Willingham (PHPFixing Volunteer)

Read More

[FIXED] How should I identify a user registered using Facebook login?

Issue

I am trying to register a user to my Web application using the Facebook login feature using Javascript and then pass the user information into my server side of the application, now I have to save the information so I could log in later as this user but it should be done without a password , what should I save in my application's db instead of the password in order to authenticate the user is really who he claims to be and not someone else who is trying to bypass my security? First thought was to save the Facebook user ID to authenticate a user, but it doesn't sound secure at all, is it a good idea or a bad one? Is there another of performing what I need?

Solution

I would recommend following Facebook's OAuth examples at developers.facebook.com.

It's been a while since I've done any OAuth work, but from what I remember, Facebook executes a callback to your server that you specify. When Facebook calls this callback, they provide you with an access token. You can then use this access token to get information about the user (i.e. email, first name, last name).

It's up to you to determine what to do when this callback is called. Perhaps you fetch the user's email, first and last name and automatically create the user an account on your back end if it doesn't exist. If you found a matching account (perhaps via their email) then just log them in (don't need to store any password for the user). I don't believe there is anything to really worry about with this approach because Facebook is providing a unique access token that resembles the user, and then your server is fetching an email based on this access token. The only way someone could crack this is if they got a hold of the access token for the user, which isn't easy (assuming your using SSL).

To determine if someone created an account using Facebook or another approach, I'd create a column under your "user" table which indicates this information.

Answered By - Brian DiCasa

Answer Checked By - Terry (PHPFixing Volunteer)

Read More

[FIXED] How can I see SSO (OpenID/OAuth) authorization token from the client side?

Issue

I know how to view a SAML request/response from the HTTP requests in the browser, which I frequently do to troubleshoot SSO configurations (such as viewing the actual claims sent in the assertion)

Is there a way to see the JWT sent during SSO using OAuth/OIDC?

Asking this from the side of the IdP administrator, not as a developer/relying party administrator, and preferably without any browser extensions

Solution

By default the identity token is delivered in the backchannel using what is called an Authorization Code flow. There's no easy way to get it into the browser. However:

a) if you have access to the Client ID and Client Secret you may compose a POSTman call that exchanges the authorization code for an identity token by hand, see: How can Postman get the OAuth 2.0 auth token in the authorization code flow?.

b) if you're able to change the so called "grant type" that the Client uses, you can use the Implicit grant type that will exchange tokens in the front channel thus accessible from a browser; you should note that this grant type is deprecated

Answered By - Hans Z.

Answer Checked By - Marie Seifert (PHPFixing Admin)

Read More

[FIXED] How do you set up an OpenID provider (server) in Ubuntu?

Issue

I want to log onto Stack Overflow using OpenID, but I thought I'd set up my own OpenID provider, just because it's harder :) How do you do this in Ubuntu?

Edit: Replacing 'server' with the correct term OpenID provider (Identity provider would also be correct according to wikipedia).

Solution

I personnally used phpMyID just for StackOverflow. It's a simple two-files PHP script to put somewhere on a subdomain. Of course, it's not as easy as installing a .deb, but since OpenID relies completely on HTTP, I'm not sure it's advisable to install a self-contained server...

Answered By - Damien B

Answer Checked By - Candace Johnson (PHPFixing Volunteer)

Read More

[FIXED] Why is a iFrame used for Silent Authentication?

Issue

I've read on multiple pages that hidden iFrames are used for silent authentication, but I couldn't figure out yet why. What are the benefits to using an iFrame over directly sending a GET Request to the Identity Server?

Solution

It's a convenient way to get around the Single-Origin-Policy in the browser when we want to do cross-origin requests (across domains).

This was a popular approach when we didn't have the more modern CORS feature to get around the SOP-policy.

Answered By - Tore Nestenius

Answer Checked By - Clifford M. (PHPFixing Volunteer)

Read More

[FIXED] OpenId Component: getting attributes back from Google using CakePHP

Issue

Is there an example that I can use to successfully get OpenId user attributes (like name, email) back from Google using CakePHP and the OpenID component? When I try and add required parameters, I get a "The page you requested is invalid."

More detail

Component: http://code.42dh.com/openid/

If I don't request any "attributes", it works fine. As soon as I try and add a request for required / optional attributes as in the following example, I get an error from Google: "The page you requested is invalid."

Example (Not working for me): http://cakebaker.42dh.com/2008/02/12/using-the-openid-simple-registration-extension/

According to 1 source, the problem is:

The error was literally triggered by not including the openid.claimed_id and openid.identity parameters, which must be set to "http://specs.openid.net/auth/2.0/identifier_select". With these set, I get another error, which can be resolved by also filling out openid.realm, with the same value as openid.return_to.

Google OpenID: the page you requested is invalid

Code

function openidlogin() {

    $realm = 'http://' . $_SERVER['HTTP_HOST'];
    $returnTo = $realm . '/users/openidlogin';


    $url = "https://www.google.com/accounts/o8/id";
    if ($this->RequestHandler->isPost() && !$this->Openid->isOpenIDResponse()) {
        try {
            $this->Openid->authenticate($url, $returnTo, $realm); // WORKS !!!
            $this->Openid->authenticate($url, 'http://'.$_SERVER['SERVER_NAME'].'/users/login', 'http://'.$_SERVER['SERVER_NAME'], array('email'), array()); // FAILS
        } catch (InvalidArgumentException $e) {
            $this->Session->setFlash("Error: Invalid OpenId");
        } catch (Exception $error) {
            $this->Session->setFlash("Error: " + $error->getMessage());
        }
    } elseif ($this->Openid->isOpenIDResponse()) {

        $response = $this->Openid->getResponse($returnTo);

        if ($response->status == Auth_OpenID_CANCEL) {
            $this->Session->setFlash("Google Login Cancelled");
            $this->redirect(array("controller" => "users", "action" => "login"));
        } elseif ($response->status == Auth_OpenID_FAILURE) {
            $this->Session->setFlash("Veficiation Failed: " . $response->message);
            $this->redirect(array("controller" => "users", "action" => "login"));
        } elseif ($response->status == Auth_OpenID_SUCCESS) {

            $axResponse = Auth_OpenID_AX_FetchResponse::fromSuccessResponse($response);
            debug ($response);
            debug ($axResponse);
            $this->Session->setFlash("Authenticated");
        }
    }

Solution

Have a look at the following example: https://github.com/cakebaker/openid-component-example/blob/master/app/Controller/UsersController.php

Answered By - dhofstet

Read More