Giters

mozilla / mozilla-django-oidc

A django OpenID Connect library

Home Page:https://mozilla-django-oidc.readthedocs.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

SuspiciousOperation at /oidc/callback/: The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO

rv2931 opened this issue · comments

commented

Hello
I have a bitnami/keycloak docker instance on my local dev machine and trying to authenticate a django mozilla-django-oidc client
First problem I met was a

"ConnectionError at /oidc/callback/" Failed to establish a new connection: [Errno 111] Connection refused

I solved this error by replacing "localhost" by "host.docker.internal:8443" for OIDC_OP_AUTHORIZATION_ENDPOINT, OIDC_OP_TOKEN_ENDPOINT and OIDC_OP_USER_ENDPOINT. It is due to the use of docker platform here localhost is not the real localhost and then you have to use host.docker.internal

Then I met

SSLError at /oidc/callback/ [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate

As my keycloak instance is not using a verified SSL cert, I add OIDC_VERIFY_SSL=False in my dev.py platform settings

Now I'm stucked with error

SuspiciousOperation at /oidc/callback/ The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO.

I have tried different values of OIDC_RP_IDP_SIGN_KEY setting that seems to be linked to OIDC_OP_JWKS_ENDPOINT but I didn't manage to solve this error
It seems to be link to encryption but changing OIDC_RP_IDP_SIGN_KEY doesn't change anything until now

If you have an idea of the source of this problem and explain it a little it would be great. I surely have something to do somewhere, odic plugin ? keycloak ?

Thank you in advance for your support. As I'm a beginner with Django I don't really know which data to supply to help you
Here you have the Traceback

Environment:

Request Method: GET
Request URL: http://localhost:8000/oidc/callback/?state=6XEeOdgst8n6x7EUNqGwHGSvjmXEMQ2d&session_state=3d1077b2-9b45-4123-b344-64ed006ba02a&code=0971c565-f4cd-42a2-9a31-e41fba22c8ab.3d1077b2-9b45-4123-b344-64ed006ba02a.663462e2-940c-4fc2-84d0-aac963c73d7f

Django Version: 4.0.3
Python Version: 3.9.12
Installed Applications:
['django.contrib.admin',
'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',
'mozilla_django_oidc']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware']

Traceback (most recent call last):
File "/usr/local/lib/python3.9/site-packages/django/core/handlers/exception.py", line 55, in inner
response = get_response(request)
File "/usr/local/lib/python3.9/site-packages/django/core/handlers/base.py", line 197, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/local/lib/python3.9/site-packages/django/views/generic/base.py", line 84, in view
return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/django/views/generic/base.py", line 119, in dispatch
return handler(request, *args, **kwargs)
File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/views.py", line 101, in get
self.user = auth.authenticate(**kwargs)
File "/usr/local/lib/python3.9/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
return func(*func_args, **func_kwargs)
File "/usr/local/lib/python3.9/site-packages/django/contrib/auth/init.py", line 77, in authenticate
user = backend.authenticate(request, **credentials)
File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 284, in authenticate
payload = self.verify_token(id_token, nonce=nonce)
File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 196, in verify_token
payload_data = self.get_payload_data(token, key)
File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 181, in get_payload_data
return self._verify_jws(token, key)
File "/usr/local/lib/python3.9/site-packages/mozilla_django_oidc/auth.py", line 127, in _verify_jws
raise SuspiciousOperation(msg)

Exception Type: SuspiciousOperation at /oidc/callback/
Exception Value: The provider algorithm 'RS256' does not match the client's OIDC_RP_SIGN_ALGO.

commented

Hi
I finally partially solved my problem.
I was using OIDC_RP_IDP_SIGN_KEY="RS256" instead of OIDC_RP_SIGN_ALGO="RS256"
And I had to fill the OIDC_RP_IDP_SIGN_KEY with Kid from Keycloak/RS256 key
Si good configuration for keycloak seems to be

OIDC_RP_SIGN_ALGO="RS256"
OIDC_RP_IDP_SIGN_KEY='Key from realm settings>keys>RS256>Kid'

Now I'm facing to a
AttributeError at /oidc/callback/ 'bytes' object has no attribute 'verify'

but as I already read about this error, I think it is a common error so I'll close this ticket and do another one if needed