Check self-signed ID token when access token is verified #43585
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #43583.
This PR is about
Avoiding an internal ID token verification when
JsonWebToken
injected by mistake butnot accessed
from the code, even if the OAuth2 providers return binary/opaque access tokensUsers getting a correct error message when they attempt to access the access token using
JsonWebToken
API but the OAuth2 providers return opaque/binary access tokensFor example, in case of Github, when they have
then any method which attempts to access the Githib binary access token as
jwt
, will get, instead of the confusing error such as:a more appropriate, here in devmode:
It will make it possible nearly immediately identify the problem which is about the user attempting to use a wrong API to access the binary token. Unfortunately we can't detect it at build time, for ex, we know, Github returns binary access tokens, but this is not part of any contract, the format can change any time.
So PR just makes sure that a check for a self-signed ID token is done correctly in both of the code branches where an ID tokne verification is attempted, with and without the initial code flow access token verification.
The added test confirms that, with a provider returning an opaque access token (value =
alice
- to match the OidcWiremock stub rule), the endpoint method works as expected if an injectJsonWebToken
is not accessed, but fails with the server error otherwise.It all may be a bit confusing, but all in all, it is really about improving the user experience when they make a mistake with trying to access opaque access tokens as JSON web tokens. The fix is very simple - encapsulate the code which checks how to proceed with the ID token verification into a utility method and call it from both places where it is necessary