SimpleIdServer icon indicating copy to clipboard operation
SimpleIdServer copied to clipboard
verified publisher icon simpleidserver

Empty "oth" Parameter Array Causes Token Decoding Failure [NextAuth.js]

Open oscardavidiaz opened this issue 10 months ago • 9 comments

Hello,

Since upgrading to SimpleIdServer version 5, I encountered issues when obtaining the access_token. After investigating, I identified two key problems:

  1. With SimpleIdServer, it is necessary to include client credentials in the body when calling the Token Endpoint. This can be resolved by setting the client property token_endpoint_auth_method: 'client_secret_post' in the OAuth2.0 Provider.

Image

  1. In the JWKS Endpoint, the signing keys contain an empty array in the "oth" property. This results in the following error in NextAuth.js when decoding the token:

Image

[next-auth][error][OAUTH_CALLBACK_ERROR] 
https://next-auth.js.org/errors#oauth_callback_error RSA JWK "oth" (Other Primes Info) Parameter value is not supported {
  error: [Error [OAuthCallbackError]: RSA JWK "oth" (Other Primes Info) Parameter value is not supported] {
    code: 'ERR_JOSE_NOT_SUPPORTED'
  },
  providerId: 'simpleidserver',
  message: 'RSA JWK "oth" (Other Primes Info) Parameter value is not supported'
}

I am currently focusing on resolving the issue described in point 2 and will address it in an upcoming pull request.

oscardavidiaz avatar Apr 07 '25 05:04 oscardavidiaz

Hello 🙂

Since version 5.0.3, the PKCE concept has been removed from the list of client authentication methods, as it is not valid to consider PKCE an authentication method.

Now, if you want to use PKCE, the IsPublic property of the client must be set to true. Otherwise, the token endpoint will use the TokenEndPointAuthMethod to authenticate the client. Could you please set this property?

Regarding the oth issue, I’ll review your pull request as soon as possible. 😊 Thanks a lot for your contribution!

thabart avatar Apr 07 '25 08:04 thabart

Hello, my friend,

Is there a specific reason for abandoning the PKCE authentication method? I noticed that this authentication flow is generally recommended for SPAs instead of using the authorization code flow without PKCE.

See:

Anyway, I have set the IsPublic property in the Client as you suggested.

Image

I'm using version 5.0.2 :)

oscardavidiaz avatar Apr 07 '25 15:04 oscardavidiaz

We haven't abandoned PKCE.

Since version 5.0.3, we removed PKCE from the client authentication methods because, according to the RFC:

"PKCE is not a form of client authentication¨, and PKCE is not a replacement for a client secret or other client authentication."

To enable PKCE, you need to set the IsPublic property to true.

Could you please upgrade to version 5.0.3 and check if it works?

simpleidserver avatar Apr 07 '25 15:04 simpleidserver

or use the latest version 5.0.4-rc1

Envoyé à partir de Outlook pour iOShttps://aka.ms/o0ukef

De : SimpleIdServer @.> Envoyé : Monday, April 7, 2025 5:34:47 PM À : simpleidserver/SimpleIdServer @.> Cc : Thierry Habart @.>; Comment @.> Objet : Re: [simpleidserver/SimpleIdServer] Empty "oth" Parameter Array Causes Token Decoding Failure in [NextAuth.js] (Issue #863)

We haven't abandoned PKCE.

Since version 5.0.3, we removed PKCE from the client authentication methods because, according to the RFC:

"PKCE is not a form of client authentication¨, and PKCE is not a replacement for a client secret or other client authentication."

To enable PKCE, you need to set the IsPublic property to true.

Could you please upgrade to version 5.0.3 and check if it works?

— Reply to this email directly, view it on GitHubhttps://github.com/simpleidserver/SimpleIdServer/issues/863#issuecomment-2783771667, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACXN255J6GLGBVBAIRJZLQ32YKLJPAVCNFSM6AAAAAB2SVGLFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBTG43TCNRWG4. You are receiving this because you commented.Message ID: @.***>

[simpleidserver]simpleidserver left a comment (simpleidserver/SimpleIdServer#863)https://github.com/simpleidserver/SimpleIdServer/issues/863#issuecomment-2783771667

We haven't abandoned PKCE.

Since version 5.0.3, we removed PKCE from the client authentication methods because, according to the RFC:

"PKCE is not a form of client authentication¨, and PKCE is not a replacement for a client secret or other client authentication."

To enable PKCE, you need to set the IsPublic property to true.

Could you please upgrade to version 5.0.3 and check if it works?

— Reply to this email directly, view it on GitHubhttps://github.com/simpleidserver/SimpleIdServer/issues/863#issuecomment-2783771667, or unsubscribehttps://github.com/notifications/unsubscribe-auth/ACXN255J6GLGBVBAIRJZLQ32YKLJPAVCNFSM6AAAAAB2SVGLFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDOOBTG43TCNRWG4. You are receiving this because you commented.Message ID: @.***>

thabart avatar Apr 07 '25 15:04 thabart

Oh, I see! Setting IsPublic only enables PKCE.

The issue I reported applies to SimpleIdServer version 5.0.2 and NextAuth.js (authentication for Next.js) version 4.24.11.

I'll test with the latest version of SimpleIdServer that you suggested, removing the token_endpoint_auth_method: 'client_secret_post' value from my provider configuration in NextAuth.js. However, for now, with SimpleIdServer version 5.0.2 and the change I submitted in PR #864, everything is working fine.

oscardavidiaz avatar Apr 07 '25 15:04 oscardavidiaz

Hi, my friend,

I tested using the latest version, 5.0.4-rc1, but I encountered the same results as version 5.0.2. Here are the steps I followed:

  1. Checked out the 5.0.4-rc1 tag, built the Docker images and started the containers.

Image

  1. Set the IsPublic property in my client to True.

Image

  1. Ran my Next.js app, commenting out the client property token_endpoint_auth_method: 'client_secret_post'.

Image

This resulted in the first error mentioned in this issue.

  1. Uncommented the client property token_endpoint_auth_method: 'client_secret_post'.

Image

This resulted in the second error mentioned in this issue.

Image

  1. Checked out my branch ignore-empty-oth, which contains the changes I submitted in the last pull request.

Image

  1. Set the IgnoreEmptyOthInJwksEndpoint configuration to True.

Image

After this, the token was successfully decoded. :)

Image

Image

Image

I hope this test and my pull request will be helpful.

Best regards,
Oscar

oscardavidiaz avatar Apr 08 '25 06:04 oscardavidiaz

I’ve accepted your merge request 😊

I removed the IgnoreEmptyOthInJwksEndpoint setting from the configuration because, according to RFC 7517, the oth parameter must not be returned by the JWKS endpoint.

simpleidserver avatar Apr 08 '25 12:04 simpleidserver

Awesome! I contributed to making it work with signing keys, but I’m not sure if it’s necessary to do the same for encryption keys as well. :)

oscardavidiaz avatar Apr 08 '25 15:04 oscardavidiaz

Indeed, the same change can be applied to the encryption keys. This issue will be fixed as soon as possible.

thabart avatar Apr 09 '25 09:04 thabart