Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Token avalid for another api audience gives misleading error message #19

Closed
jkogler-cloudflight opened this issue Nov 9, 2021 · 4 comments · Fixed by #21
Closed

Token avalid for another api audience gives misleading error message #19

jkogler-cloudflight opened this issue Nov 9, 2021 · 4 comments · Fixed by #21

Comments

@jkogler-cloudflight
Copy link

If you create an access token for a different API audience, or different tenant, then obviously the authorization should fail.
However the error message is 401 "Malformed token".
This is quite misleading, normally when a token is malformed, it is because you just gave a random string, or because you forgot to copy-paste a few characters.

The error comes from:

fastapi-auth0/src/fastapi_auth0/auth.py

Lines 118 to 140 in ae5256d

unverified_header = jwt.get_unverified_header(token)
rsa_key = {}
for key in self.jwks['keys']:
if key['kid'] == unverified_header['kid']:
rsa_key = {
'kty': key['kty'],
'kid': key['kid'],
'use': key['use'],
'n': key['n'],
'e': key['e']
}
#break # TODO: do we still need to iterate all keys after we found a match?
if rsa_key:
payload = jwt.decode(
token,
rsa_key,
algorithms=self.algorithms,
audience=self.audience,
issuer=f'https://{self.domain}/'
)
else:
if self.auto_error:
raise jwt.JWTError

The kid is different (because of different api audience), and therefore the rsa_key is empty, and a general JWTError is raised.

Is it possible to give a better error message. Maybe something like "Token not authorized" or "Token has wrong audience" would be better suited.
@dorinclisu
Copy link
Owner

The problem is not related to wrong audience, but more like wrong tenant. For sure it's possible to display an explicit message when rsa_key is empty instead of raising JWTError, but I'm not sure if this wouldn't cause a potential vulnerability, when an attacker could guess your kid by constructing tokens and checking the error message in a brute-force manner.

@dorinclisu
Copy link
Owner

Though I think it's unlikely kid is sensitive in itself, and a smart attacker could anyway figure out if the kid is wrong or not with a timing attack leveraging the different execution times of the branches.

@jkogler-cloudflight
Copy link
Author

I know way too little about JWT and their security.

But I doubt that this infos (that the token is not valid for the audience/domain) is a security concern. An attacker could also just run the code locally and figure that out. In fact he could just call https://{domain}/.well-known/jwks.json and extract the correct kid. That key id is not a very secret info.

@jkogler-cloudflight jkogler-cloudflight mentioned this issue Nov 26, 2021
Merged
@dorinclisu
Copy link
Owner

Published in 0.3.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

better error message if kid is not found jkogler-cloudflight/fastapi-auth0
2 participants
@dorinclisu @jkogler-cloudflight