I'm using a simple test of: <div class="snippet-clipboard-content notranslate posi

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Roger that <a class="user-mention notranslate" data-hovercard-type="user" data-hoverca

I have the same issue as mentioned by <a class="user-mention notranslate" data-hoverca

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Unable to verify JWT claims about openid-connect-php HOT 11 OPEN

jumbojett commented on July 18, 2024

Unable to verify JWT claims

from openid-connect-php.

Comments (11)

ahamilton9 commented on July 18, 2024 7

I had an issue with this message as well, but not the same underlying issue. The "Not Before" claim was coming in a second ahead of our server time, and wouldn't allow it to validate. There are 6 checks going on in this function. Would it make sense to make separate exceptions, or at least different messages for the individual checks? It took me quite a bit of time to figure out what was going on. Willing to try my hand at making a PR if there is agreement on the direction I should take.

from openid-connect-php.

identitymonk commented on July 18, 2024 6

Hi,

There is also a problem in the provider URL.

When constructed, the OpenID Connect configuration ask for the base provider URL to which it automatically add the /.well-known/openid-configuration suffix. Then the $wellKnown value is loaded with all the openid server properties, including the issuer url.

Then in the function verifyJWTClaims the return value should be:

return (($claims->iss == $this->wellKnow->issuer)
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )

and not:

return (($claims->iss == $this->getProviderURL())
&& (($claims->aud == $this->clientID) || (in_array($this->clientID, $claims->aud)))
&& ($claims->nonce == $this->getNonce())
&& ( !isset($claims->exp) || $claims->exp >= time())
&& ( !isset($claims->nbf) || $claims->nbf <= time())
&& ( !isset($claims->at_hash) || $claims->at_hash == $expecte_at_hash )

Cause the providerURL can be very different of the issuerURL.

from openid-connect-php.

tominovak33 commented on July 18, 2024

Hello,
just change "https://accounts.google.com/" to "https://accounts.google.com" (so remove the forwardslash) at the end of your provider URL

I think the reason it is failing is because after the redirect is done google sends back a field specifying what the issuer URL was and the discrepancy means that while the request works 'https://accounts.google.com/' does not match the expected 'https://accounts.google.com'

from openid-connect-php.

ftzdomino commented on July 18, 2024

Would an rtrim($url, '/') during the comparison cause any security issues?

from openid-connect-php.

jricher commented on July 18, 2024

@ftzdomino Yes. It may seem simple in this case but you're getting into a strange world of black magic if you start doing matching other than strict string matches. Nonexact matching (of redirect URIs, but it's the same principle) has been at the root of a few different major security breaches in the wild.

from openid-connect-php.

genebean commented on July 18, 2024

It seems I need some help with this one too... removing the trailing slash didn't fix this for me. I have tried switching to the repo, and not specifying a version to composer and both give me this error:

Fatal error: 
Uncaught exception 'OpenIDConnectClientException' with message 
'Unable to verify JWT claims' in /vagrant/website/oidc/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:251 
Stack trace: 
#0 /vagrant/website/oidc/index.php(13): OpenIDConnectClient->authenticate() 
#1 {main} thrown in /vagrant/website/oidc/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php on line 251

If I switch to the version in the readme (0.1.*) I get a different error:

Fatal error: 
Uncaught exception 'OpenIDConnectClientException' with message 
'Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). 
The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. 
If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client.' in /vagrant/website/oidc/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php:189 
Stack trace: 
#0 /vagrant/website/oidc/index.php(13): OpenIDConnectClient->authenticate() 
#1 {main} thrown in /vagrant/website/oidc/vendor/jumbojett/openid-connect-php/OpenIDConnectClient.php on line 189

My code looks like this:

<?php
  date_default_timezone_set('America/New_York');
  ini_set("display_errors", '1');
  error_reporting(E_ALL);

  require dirname(__FILE__) . '/vendor/autoload.php';
  session_start();

  if(isset($_SESSION['client_id']) && $_SESSION['client_id'] &&
     isset($_SESSION['client_secret']) && $_SESSION['client_secret']) {

    include 'cinfo.php';
    $oidc->authenticate();
    if (isset($_GET['code'])) {
      $_SESSION['access_token'] = $oidc->getAccessToken();
      header("Refresh:5; url=${_SESSION['redirect_url']}");
    }

  } else {
    echo '<h2>Registering the client</h2>';

    $oidc = new OpenIDConnectClient("https://gluu-test.example.com");
    $oidc->setRedirectURL('https://' . $_SERVER['SERVER_NAME'] . ':8443/oidc/index.php');
    $oidc->setClientName("Gene's Dynamic Client");
    $oidc->register();

    // Store registratin info in the session
    $_SESSION['client_id']     = $oidc->getClientID();
    $_SESSION['client_secret'] = $oidc->getClientSecret();
    $_SESSION['redirect_url']  = $oidc->getRedirectURL();
    $_SESSION['client_name']   = $oidc->getClientName();

    header('Refresh:5');
  }
/*
  $name = $oidc->requestUserInfo('given_name');
*/

?>

<html>
<head>
    <title>Gene's Example Client</title>
    <style>
        body {
            font-family: 'Lucida Grande', Verdana, Arial, sans-serif;
        }
    </style>
</head>
<body>

    <div>
        Hello <?php echo $name; ?>
    </div>
    <pre><?php print_r($_SESSION); ?></pre>
    <p><a href='/oidc/logout.php'>Logout</a></p>
</body>
</html>

from openid-connect-php.

genebean commented on July 18, 2024

Disregard... it seems I had the provider url in two places and one of them still had a / on the end of it.

from openid-connect-php.

jumbojett commented on July 18, 2024

Roger that @genebean. Glad you were able to get it working! 🎉

from openid-connect-php.

burnhamrobertp commented on July 18, 2024

I have the same issue as mentioned by @ahamilton9

I had an issue with this message as well, but not the same underlying issue. The "Not Before" claim was coming in a second ahead of our server time, and wouldn't allow it to validate. There are 6 checks going on in this function. Would it make sense to make separate exceptions, or at least different messages for the individual checks? It took me quite a bit of time to figure out what was going on. Willing to try my hand at making a PR if there is agreement on the direction I should take.

Not sure if its appropriate to fuzz the time checking by even the slightest amount (a couple of seconds?) but otherwise I'm not sure exactly how to handle this situation.

from openid-connect-php.

jumbojett commented on July 18, 2024

@Harkenn make sure you remove the trailing slash on the provider url.

👍 https://provider.url
👎 https://provider.url/

Make sense?

from openid-connect-php.

muhammadfauzi22 commented on July 18, 2024

Hello, i also have similar issue..
This is my code

$oidc = new OpenIDConnectClient(
				$this->config->item('SSO_PROVIDER_URL'),
				$this->config->item('SSO_CLIENT_ID'),
				$this->config->item('SSO_CLIENT_SECRET')
			);
			$oidc->setVerifyHost(false);	//dev only
			$oidc->setVerifyPeer(false);	//dev only
			$oidc->setHttpUpgradeInsecureRequests(false);	//dev only
			$isAuthenticate = $oidc->authenticate();

The provider url in the config.php file doesn't have trailing slash.. It looks like this (redacted with *)
$config['SSO_PROVIDER_URL'] = 'https://auth.****.**.id/auth/realms/***ura-**st';
$config['SSO_CLIENT_ID'] = '***ola-****';
$config['SSO_CLIENT_SECRET'] = '********************************';

That code actually works in my local pc, but somehow when i deploy it on the server it keeps throwing me this error

An uncaught Exception was encountered
Type: Jumbojett\OpenIDConnectClientException

Message: Unable to verify JWT claims

Filename: /var/www/html/vendor/jumbojett/openid-connect-php/src/OpenIDConnectClient.php

Line Number: 373

Backtrace:

File: /var/www/html/application/controllers/Welcome.php
Line: 56
Function: authenticate

File: /var/www/html/index.php
Line: 315
Function: require_once

please help

from openid-connect-php.

Unable to verify JWT claims about openid-connect-php HOT 11 OPEN

Comments (11)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent