Uploaded image for project: 'Identity Provider Plugin - Duo'
  1. Identity Provider Plugin - Duo
  2. JDUO-15

Switch IdP Token Handling to Nimbus JWT

    XMLWordPrintable

    Details

    • Java Version:
      Amazon Coretto 11

      Description

      The Duo SDK strips much of the JWT they get back from their own OIDC token endpoint, and present it as their own custom Model classes.

      Currently, I map those model classes to another set of custom ones in the API module. This way allowing other implementations to be pluggable without requiring the Duo Lombok generated model. 

      It seems more sensible to map those to the Nimbus JWT interface and implementations, as Nimbus seems (so far) to be the OIDC library of choice for the IdP.

      I have nearly finalized these changes in a local dev branch. If it works out, I think I will switch mainline over to this version. There are some implications, as Duo do not return the original JWS (signature component), and there is a stage doing signature validation, I need to recompute and add the signature back to the generated Nimbus JWT. The alternative would be to bypass signature checking e.g. with a PlainJWT (no sig) for the native Duo SDK, but check it for other implementations (or similar). But I feel we should enforce that a signature is present for any SDK, for fear of falling foul of algo:none type exploits. 

       

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              philip.smart@corp.jisc.ac.uk Philip Smart
              Reporter:
              philip.smart@corp.jisc.ac.uk Philip Smart
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 2 days
                  2d