Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforcing algorithm values #435

Closed
jalauros opened this issue Mar 26, 2019 · 3 comments
Closed

Enforcing algorithm values #435

jalauros opened this issue Mar 26, 2019 · 3 comments
Labels
bug

Comments

@jalauros
Copy link

Environment

Any

Expected behaviour

When using primitives like OIDCUserInfoSignedResponseAlg the RP should verify that the received response has actually been signed with the listed algorithm(s).

Actual behaviour

If one sets for instance value RS256 for the OIDCUserInfoSignedResponseAlg the RP is able to handle the incoming signed response and validate it but it does not verify the algorithm is actually RS256.

Minimized example
Configuration and Apache server log files
@zandbelt
Copy link
Member

zandbelt commented Dec 7, 2019

It turns out that this is actually a spec requirement, as follows out of this discussion: openid-certification/oidctest#207 so I'm reclassifying as a bug that needs to be addressed for the next release.

@zandbelt zandbelt added bug and removed enhancement labels Dec 7, 2019
zandbelt added a commit that referenced this issue Dec 9, 2019
@zandbelt
enforce OIDCIDTokenSignedResponseAlg and OIDCUserInfoSignedResponseAlg
6e89474 
see #435; bump to 2.4.1rc2

Signed-off-by: Hans Zandbelt <[email protected]>
@zandbelt
Copy link
Member

zandbelt commented Dec 9, 2019

@jalauros can you try with https://mod-auth-openidc.org/download/mod_auth_openidc-2.4.1rc2-1.el7.x86_64.rpm ?

@zandbelt
Copy link
Member

now released in 2.4.1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zandbelt @jalauros