Description
Summary (*)
The way JWKs are checked in the JwsManager class when building JWTs limits possible use cases.
The thing is, we don't need algorithms set on the JWK object in order to add it to headers. The algorithm can be specified directly in headers themselves and it will work properly, resulting in generation of still valid JWS.
Also, because Magento\Framework\Jwt\JwkFactory::createOct() requires keys of 2048 length, it's necessary to use the createFromData() method instead in case of shorter keys.
Examples (*)
The following example should result in creation of a valid JWS:
$secret = "ZXF1YXRpb24tS2VudHVja3ktY29udGludWVkLWRpZmZlcmVuY2U=";
$payload = json_encode([
'MyCustomValue' => 'some value', //not important at all
'nbf' => time(),
'exp' => time() + 600,
'iat' => time()
]);
$header = [
'alg' => 'HS256',
'typ' => 'JWT'
];
$objectManager = \Magento\Framework\App\ObjectManager::getInstance();
/** @var \Magento\Framework\Jwt\JwkFactory $jwkFactory */
$jwkFactory = $objectManager->create(\Magento\Framework\Jwt\JwkFactory::class);
$jwk = $jwkFactory->createFromData(['kty' => 'oct', 'k' => $secret]);
/** @var \Magento\JwtFrameworkAdapter\Model\JwsFactory $jwsFactory */
$jwsFactory = $objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsFactory::class);
$jws = $jwsFactory->create($header, $payload, null);
/** @var \Magento\Framework\Jwt\Jws\JwsSignatureSettingsInterface $encryptionSettings */
$encryptionSettings = $objectManager->create(
\Magento\Framework\Jwt\Jws\JwsSignatureJwks::class,
[
'jwk' => $jwk
]
);
/** @var \Magento\JwtFrameworkAdapter\Model\JwsManager $jwsManager */
$jwsManager = $objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsManager::class);
$token = $jwsManager->build($jws, $encryptionSettings);
A valid JWS using the same data, headers and secret key can be created using the web-token/jwt-framework package directly (that's the package Magento uses as a dependency for the JWT Framework Adapter):
$secret = "ZXF1YXRpb24tS2VudHVja3ktY29udGludWVkLWRpZmZlcmVuY2U=";
$payload = [
'MyCustomValue' => 'some value',
'nbf' => time(),
'exp' => time() + 600,
'iat' => time()
];
$header = [
'typ' => 'JWT',
'alg' => 'HS256'
];
$jwk = new \Jose\Component\Core\JWK(['kty' => 'oct', 'k' => $secret]);
$algorithmManagerFactory = new \Jose\Component\Core\AlgorithmManagerFactory();
$algorithm = new \Jose\Component\Signature\Algorithm\HS256();
$algorithmManagerFactory->add('HS256', $algorithm);
$jwsBuilderFactory = new \Jose\Component\Signature\JWSBuilderFactory($algorithmManagerFactory);
$jwsBuilder = $jwsBuilderFactory->create(['HS256']);
$jws = $jwsBuilder->create()->withPayload(json_encode($payload))->addSignature($jwk, $header)->build();
$serializer = new \Jose\Component\Signature\Serializer\CompactSerializer();
$token = $serializer->serialize($jws, 0);
Proposed solution
#32637 - changes how the algorithm's existence in the data is checked
Please provide Severity assessment for the Issue as Reporter. This information will help during Confirmation and Issue triage processes.
- Severity: S0 - Affects critical data or functionality and leaves users with no workaround.
- Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
- Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
- Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
- Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status