jwk: anonymous request can't read public keys #253
Comments
|
Which version are you running? How did you get the token - did you use |
|
Used the oidc-client-js library (that I used before) https://github.com/IdentityModel/oidc-client-js |
|
Are you using a different client to request for token here (different from the one above)? Because the above requires Maybe I'm missing something, I'm trying If I can reproduce. |
|
@faxal thanks for investigating :) @janekolszak are you by any chance using a token that was issued on behalf of a user instead of on behalf of the client? I tried reproducing your issue with the # create policy
$ hydra policies create -f docs/access-control/policies/everyone-can-read-public-keys.json
# create client
$ hydra clients create -c=[http://localhost/cb] -g [client_credentials] -a [hydra] -r [code,token]
# get access token
$ curl -X POST -H "Authorization: Basic ZTllYWMzNjAtYjA5Zi00NmY4LWIwNDktODlkMjZhZWNkYWFmOlNqbj1DMXktc19RVEcscHoxPlctckM5ZElv" -H "Cache-Control: no-cache" -H "Postman-Token: d472a862-943c-3596-fc13-f71ee34d37f1" -H "Content-Type: application/x-www-form-urlencoded" -d 'grant_type=client_credentials&scope=hydra.keys' "http://localhost:4444/oauth2/token"
{
"access_token": "9wHkwSg_jThB1sPnt8tX-9tukrXwJymTU9UZCUThB5M.DMVw60sQ8gbh6x29079_fO987_ktHqQT8R4uSD_CGng",
"expires_in": "3600",
"scope": "hydra.keys",
"token_type": "bearer"
}
# request key
$ curl -X GET -H "Authorization: bearer 9wHkwSg_jThB1sPnt8tX-9tukrXwJymTU9UZCUThB5M.DMVw60sQ8gbh6x29079_fO987_ktHqQT8R4uSD_CGng" -H "Cache-Control: no-cache" -H "Postman-Token: e2851819-8240-6ce3-5017-6fc573fc1943" "http://localhost:4444/keys/hydra.openid.connect/public"
{"keys":[{"kty":"RSA","kid":"public","n":"7wV6myGPv4XL3v7X3FVwWzQvjnFMOh7t0_Ua-d6AtOA6NcY1b2OnYqpDiYUCp5I3vtq5G9YZPLK7XcuNLTtO2TCf_ycmu0AIX3NMkKSIUpmR5tJEGdRPzG6umMZ5DWNBeERsHGJzNCJyzAyStQ_kI-DfCZEn3iHuL9jsZCb5pYptqESpkvpqzLFfa3R5EXdGrzxrKrALIHCSyTocGoFWQ7ogjcOjdlq0f69cvTrIH5Dia7aRmfmYGXZ6BzXehKPCjGYuexKTUQAmvJov9UWb8jWS8rLf1by-aibwCxsx6aZwYz7_dI7XQSkQ6fzOrqB-9ktcISztc9Act7AUwovg2zZaMJlTojcz1IIBxhSCQ4ZY6quY7skgwTfGpYivhWWnwb0mTjxbph0Ck_za-R6H53U7AGj60H1AgpZRG6bQu06oGY7cTfjKxTGd8_beaFCAVuQaf09_808mkvfSsnPU5EcfNrBjTukiQUxgdyyRljPvSRgJ8JJfZ0_D712JJ-9aXKAVwyLxqhnOWE008tTSNOiyIblgjrSp0Wcjh90eGO2EKpzvJfF7te6FvoBK1cEtl7SiF6oeh9KQvmFJVug4KDRYeGjWFN-iHJHCPgYue3LE1S72q6-zZ4kATSZZceC-SXocpORVgyT1hljEEvc0YoQc4lsjjwSLDeyIQZPj2VU","e":"AQAB"}]}where policy.json is: {
"description": "Allow everyone including anonymous users to read JSON Web Keys having Key ID *public*.",
"subjects": [
"<.*>"
],
"effect": "allow",
"resources": [
"rn:hydra:keys:<[^:]+>:public"
],
"actions": [
"get"
]
} |
|
@faxal No, clients are different. Getting keys from hydra has to work with client credentials, the idp library uses it. |
|
I believe that the issue is that the idp library is accessing the endpoint without passing along an access token, which is iirc the way the JWKS URI is working in OpenID Connect. So the issue here is that, even though you allowed all subjects to access the endpoint, it still requires a valid access token. As that token isn't passed, the keys endpoint rejects the request. To resolve this, we need to add a way to let anonymous requests pass through, when all subjects are allowed. |
aeneasr
changed the title
|
I will address this in #243 |
|
Confirmed. Temporary solution is to serve the unprotected key from RP, e.g.: jwk, err := model.HydraClient.JWK.GetKey("hydra.openid.connect", "public")
if err != nil {
// ...
}
c.JSON(http.StatusOK, jwk) |
|
You can now allow keys to be publicy available with this policy: {
"description": "Allow everyone including anonymous users to read JSON Web Keys having Key ID *public*.",
"subjects": [
"<^$>"
],
"effect": "allow",
"resources": [
"rn:hydra:keys:<[^:]+>:public"
],
"actions": [
"get"
]
}alternatively, you can also achieve this by setting |
* cmd: hydra token user should show id token in browser - closes #224 * cli: hydra clients import doesn't print client's secret - closes #221 * travis: ld flags are wrong - closes #242 * all: resolve naming inconsistencies in jwk set names used in hydra - closes #239 * sdk: resolve naming inconsistencies - closes #226 * docs: resolve gitbook issue with image assets * jwk: anonymous request can't read public keys - closes #253 * client: add ability to update client - closes #250 * core: document hard-wired JWK sets - closes #247 * docs: fix images in readme - closes #261
Hi,
I can't get a public key for varifying id_tokens with a freshly created Client.
Key endpoint
https://hydra/keys/hydra.openid.connect/publicPolicy
{ "description": "Allow everyone including anonymous users to read JSON Web Keys having Key ID *public*.", "subjects": ["<.*>"], "effect": "allow", "resources": [ "rn:hydra:keys:<[^:]+>:public" ], "actions": [ "get" ] }Client's configuration:
{ "id": "wta-site", "owner": "[email protected]", "scope": "hydra.keys.get openid all", "client_name": "Example", "redirect_uris": [ "https://localhost/overview" ], "grant_types": [ "implicit" ], "response_types": [ "code", "token", "id_token" ], "policy_uri": "https://localhost/policy", "tos_uri": "https://localhost/terms", "client_uri": "https://localhost", "logo_uri": "https://localhost/logo.png", "contacts": [ "[email protected]" ] }Client requests
id_token tokenhydra.keys.get openid allHydra's logs:
I think the problem is here:
The text was updated successfully, but these errors were encountered: