Comments (9)
oddly enough I got into this at some point and it has a signing key.
// SigningKey implements the op.Storage interface
func (o *OPStorage) SigningKey(ctx context.Context) (key op.SigningKey, err error) {
err = retry(func() error {
key, err = o.getSigningKey(ctx)
if err != nil {
return err
}
if key == nil {
return zerrors.ThrowInternal(nil, "test", "test")
}
return nil
})
return key, err
}
from zitadel.
@livio-a @muhlemmer can you help here?
from zitadel.
Can you check this discussion and answer and see if the same applies to your situation: #7198
from zitadel.
Ok I get where the bug is.
@muhlemmer "After a private key expires the new keypair is only created (ad-hoc) when a new token that needs to be signed is requested. (For example an ID token or access token as JWT)."
When a client makes a call to the JWKS enpoint Zitadel MUST return public keys. It doesn't matter if anything has not yet used the private key to sign. When someone ask you for something then give it to them.
It is unacceptable to have an empty public key response.
I would copy that so called (ad-hoc) code to cover both cases.
Also, this discussion, Seamless JWKs rotation cannot be ignored. There is a reason your competitors have it.
I guess I can get my devops guys to automate a login every 5 minutes to ensure that Zitadel creates keys. :(
from zitadel.
It is unacceptable to have an empty public key response.
That's a matter of opinion, but not a valid bug report.
Also, this discussion, #5690 cannot be ignored. There is a reason your competitors have it.
Why even raise a bug if you are already part of the discussion regarding JWKs rotation. Put effort in the discussion, or come with a decent proposal or PR that solves a problem for you.
Voting to close @hifabienne, @livio-a because:
- Currently behaves as designed.
- Current behavior is documented.
- Current behavior is explained in discussion: #7198
- OP is already part of a discussion in changing the design #5690
Alternatively this can be reshaped in a feature request and/or merged with the seamless design.
from zitadel.
I raised it as a bug because there are going to be enterprise clients (our customers) that will poll for a JWKS and zitadel will return nothing. They have old stuff and don't do on-demand pulling of keys.
This means that all tokens used will fail validation.
I would argue that this is a critical show stopper vs a bug.
This is the current land scape of clients using auth and I really don't want to have a conversation with a customer saying.
Well Zitadel has it documented, good luck!
from zitadel.
BTW: Zitadel may fail OIDC specifications over this.
I don't think there is carve out to say "we didn't use a private key to sign anything yet so no public keys".
I don't think it's a matter of opinion that keys MUST be returned even if nothing has been signed by their private key half.
15.2. Mandatory to Implement Features for Dynamic OpenID Providers
In addition to the features listed above, OpenID Providers supporting dynamic establishment of relationships with RPs that they do not have a pre-configured relationship with MUST also implement the following features defined in this and related specifications.
Response Types
These OpenID Providers MUST support the id_token Response Type and all that are not Self-Issued OPs MUST also support the code and id_token token Response Types.
Discovery
These OPs MUST support Discovery, as defined in [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-core-1_0.html#OpenID.Discovery) [OpenID.Discovery].
Dynamic Registration
These OPs MUST support Dynamic Client Registration, as defined in [OpenID Connect Dynamic Client Registration 1.0](https://openid.net/specs/openid-connect-core-1_0.html#OpenID.Registration) [OpenID.Registration].
UserInfo Endpoint
All dynamic OPs that issue Access Tokens MUST support the UserInfo Endpoint, as defined in [Section 5.3](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo). (Self-Issued OPs do not issue Access Tokens.)
Public Keys Published as Bare Keys
These OPs MUST publish their public keys as bare JWK keys (which MAY also be accompanied by X.509 representations of those keys).
Request URI
These OPs MUST support requests made using a Request Object value that is retrieved from a Request URI that is provided with the request_uri parameter, as defined in [Section 6.2](https://openid.net/specs/openid-connect-core-1_0.html#RequestUriParameter).
from zitadel.
See this discussion for a proposal wrt key management:
from zitadel.
closing in favor of the discussion mentioned above
from zitadel.
Related Issues (20)
- [Bug]: internal server error when using ldap to login HOT 2
- [Improvement] Ability to reload TLS certificates
- [cli/mirror] Allow to reencrypt event payload
- [cli/mirror] allow file as destination and source
- User Lockout Possibility on Resource API
- [Bug]: OIDC Discovery for OAuth2 Proxy not working
- [Bug]: module name for the Golang provect of version 2.x should be github.com/zitadel/zitadel/v2
- Allow adding logo for generic IDP provider HOT 1
- [Bug]: Umlaut in sender name not shown correctly
- Various improvements on the account linking flow
- Misleading Login Screen HOT 9
- Add description column to personal access token
- Postgres Unix-domain sockets HOT 1
- [Bug]: Email verified attribute is not set as true for External user authenticated by LDAP Identity provider
- IdP templates for SAML providers
- Scope for requesting only authorizations of specific organization(s)
- The verify button in email should NOT be present HOT 1
- [Bug]: Multiple Setup/Init Issues
- Support for IdP Initiated SAML SSO to OIDC application
- validate adding ordering columns to events2 indexes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from zitadel.