node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard

authorize endpoint fails if public jwk doesn't include .alg

Open alastair opened this issue 5 years ago • 0 comments

In the guide for the webid-oidc spec, the "Authorization Request" step describes the encoding of the request paramater.

This includes the public key of a JWK in the key field. I'm using a python tool to generate keys (jwcrypto), but when it generates a public key it doesn't include the "alg" field:

{
  "kty": "RSA",
  "n": "sezpNr99QA7xMqkNvpZamVDdkiAn_xvuH2H5nTFKYDKILny3a1hp2ULV2nvumiCt9IsxEuvPjAGRQsPMKwDkCjhzO70EoFyb2k2PzwBk_Fd37xNbl4Nrb4W9zK7Vff5vXmtBOFSSzsUdUf52zZMii7RZBcDQSLcmv63qV_NDpvGNOTadth1nbJhzMtQDQWBlWbClI8Z4R0fGgx7yhQvMqOl6vIlFfricBcoe2nopS51uUbsZSNSkTrGHCsBM_ggvVcWzFAvipkSsplEPhvdT1K7oC4Q6yNG6koPPajpxNnEw05Nh5YHIUcmhFKj76rqaCNtwBejYBxeQp2rwnLekKQ",
  "e": "AQAB"
}

According to the JWK spec, this parameter is optional: https://tools.ietf.org/html/rfc7517#section-4.4

When generating an authorization request, if the key doesn't include alg, node-solid server returns an error. The exception that causes this is:

normalizedAlgorithm = Error: undefined is not a supported algorithm at SupportedAlgorithms.normalize (node_modules/@solid/jose/src/algorithms/SupportedAlgorithms.js:75:14) at Function.importKey (node_modules/@solid/jose/src/jose/JWA.js:89:51) at Function.importKey (node_modules/@solid/jose/src/jose/JWK.js:31:16) at AuthenticationRequest.loadCnfKey (node_modules/@solid/oidc-op/src/handlers/AuthenticationRequest.js:212:16) at node_modules/@solid/oidc-op/src/handlers/AuthenticationRequest.js:176:26

It seems that jose.JWA expects that the alg field exists: https://github.com/solid/jose/blob/71ebf31761002bcb18ce88e739a30a8a6459936f/src/jose/JWA.js#L89

I couldn't find any specific webid-oidc documentation that says that alg is required in this case. It might be nice for node-solid-server to return an explicit error message if a submitted key doesn't include it.

alastair avatar Feb 03 '21 12:02 alastair