Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

UserInfo JWT access token issued by the implicit authorize flow is not signed

Description

When implicit authorization flow involves ID token and JWT access token issuance, the JWT access token is not signed. It makes the access token useless, as OP’s own user info endpoint (the access token’s sole audience) won’t accept unsigned JWT access tokens.

This case was not covered by the existing JWT security tests and thus wasn’t spotted earlier.

Environment

None

Confluence content

mentioned on

Activity

Henri MikkonenApril 3, 2024 at 4:16 PM

After the fix, the full conformance test suite was successfully run with both opaque and JWT access tokens.

Henri MikkonenApril 3, 2024 at 4:15 PM

Updated the security configuration wiring for UserInfo JWT access tokens to exploit client information in the same way as for ID token issuance.

Also updated the issued JWT security tests to cover this access token too. Previously they already covered the third-party JWT access tokens issued by the authorize endpoint.

Henri MikkonenApril 3, 2024 at 3:51 PM

For the record: I spotted this when running complete set of tests against the OIDC conformance test suite. I was first amazed why the same (automated) test suite hasn’t spotted this problem earlier, but then I realized that previously I must have set the JWT access token type in OAUTH2.Token only. This time I used the global property for the same purpose, which is then wired to OIDC.SSO too, that covers the implicit token issuance sequences.

Fixed

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created April 3, 2024 at 3:24 PM
Updated April 11, 2024 at 9:36 AM
Resolved April 3, 2024 at 4:16 PM

Flag notifications