Conversation
Signed-off-by: cpanato <ctadeu@gmail.com>
Signed-off-by: cpanato <ctadeu@gmail.com>
| // GetIDToken extracts an OIDCIDToken from the raw token *without verification* | ||
| func (stg *StaticTokenGetter) GetIDToken(_ *oidc.Provider, _ oauth2.Config) (*OIDCIDToken, error) { | ||
| unsafeTok, err := jose.ParseSigned(stg.RawToken) | ||
| unsafeTok, err := jose.ParseSigned(stg.RawToken, allowedSignatureAlgorithms) |
There was a problem hiding this comment.
Is this identical behavior between v3 and v4, or was there a different set of allowed algs?
There was a problem hiding this comment.
This list should be sufficient and secure. Did a little reading on this change, it was in response to https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf.
There was a problem hiding this comment.
seems in the past that was not checked
this is for the new V4
// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization. Validation fails if
// the JWS is signed with an algorithm that isn't in the provided list of signature algorithms.
// Applications should decide for themselves which signature algorithms are acceptable. If you're
// not sure which signature algorithms your application might receive, consult the documentation of
// the program which provides them or the protocol that you are implementing. You can also try
// getting an example JWS and decoding it with a tool like https://jwt.io to see what its "alg"
// header parameter indicates. The signature on the JWS does not get validated during parsing. Call
// Verify() after parsing to validate the signature and obtain the payload.
| // GetIDToken extracts an OIDCIDToken from the raw token *without verification* | ||
| func (stg *StaticTokenGetter) GetIDToken(_ *oidc.Provider, _ oauth2.Config) (*OIDCIDToken, error) { | ||
| unsafeTok, err := jose.ParseSigned(stg.RawToken) | ||
| unsafeTok, err := jose.ParseSigned(stg.RawToken, allowedSignatureAlgorithms) |
There was a problem hiding this comment.
This list should be sufficient and secure. Did a little reading on this change, it was in response to https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf.
|
Thank you! |
|
We'll cut a new release soon, after #2001 merges |
@haydentherapper lets try to get the current dependencies update as well, there are a few PRs opened |
|
Ack, I can help with that too. Bumping to 1.23 will hopefully help unblock the updates |
on it, doing one by one to make sure all is working :) |
Summary
not sure if that is 100% correct
trying to upgrade go-jose