omniauth jwt provider dont support RSA ECDSA and other PPK algorithms
Summary
Since gitlab handels the secret and keys for omniauth authentication with as string, there is no possibility to make verification with jwt library. JWT library requires the public key as object and not as string.
Steps to reproduce
helm chart valus to activate omniauth
gitlab:
unicorn:
omniauth:
enabled: true
autoSignInWithProvider: jwt
syncProfileFromProvider: ['jwt']
syncProfileAttributes: ['email']
allowSingleSignOn: true
blockAutoCreatedUsers: false
autoLinkLdapUser: false
autoLinkSamlUser: false
externalProviders: []
providers:
- secret: gitlab-jwt
secret with provider settings in kubernetes
name: jwt
app_secret: '-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsENjNqUOyW3SeVt3cYY7\nqkF273U+zIp0c4PMq95wDxFplrxT1iEbtes9rITIVa/4KyJmAf/P33Xi4j+qVRTw\nYuAIdEVPTdV7+PG03fCm3nDmuDcsncMItCE/pI5c+Ia02uMz2L30H6hJxSSzSsLR\nUOPIPC4VKGIESjx7tm8GcPUNGry8j2HnJHxu6Sb/YYDI829ZUAcYUwTbufbik88S\nMuxFSK65uxB0loPpSQyhneXD4h23owVrQEGx9ukL1u3epI3M6oaKFVf/TEpWAg6z\nMHGiEoL7tQJiT00UULpH75kj6kIiwjsZbPX9aNwigqcEnsfR5tPk5x18NYtTg/o0\neQIDAQAB\n-----END PUBLIC KEY-----\n'
args:
algorithm: 'RS256'
uid_claim: 'email'
required_claims: ["name", "email"]
info_maps: { name: "name", email: "email" }
auth_url: 'http://localhost:4567/login/sso/gitlab'
valid_within: nil
ruby server to make jwt authentication
#!/usr/bin/env ruby
require 'sinatra'
require 'jwt'
get '/login/sso/gitlab' do
# assuming the user is already logged in and this is available as current_user
claims = {
id: '123',
name: 'michael',
email: 'michael@tsyganov.de',
iat: Time.now.to_i
}
privatekey = OpenSSL::PKey::RSA.new "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIBAAKCAQEAsENjNqUOyW3SeVt3cYY7qkF273U+zIp0c4PMq95wDxFplrxT\n1iEbtes9rITIVa/4KyJmAf/P33Xi4j+qVRTwYuAIdEVPTdV7+PG03fCm3nDmuDcs\nncMItCE/pI5c+Ia02uMz2L30H6hJxSSzSsLRUOPIPC4VKGIESjx7tm8GcPUNGry8\nj2HnJHxu6Sb/YYDI829ZUAcYUwTbufbik88SMuxFSK65uxB0loPpSQyhneXD4h23\nowVrQEGx9ukL1u3epI3M6oaKFVf/TEpWAg6zMHGiEoL7tQJiT00UULpH75kj6kIi\nwjsZbPX9aNwigqcEnsfR5tPk5x18NYtTg/o0eQIDAQABAoIBAAu1HiTmB7pnWgCH\ni8J1mQbw/DZhgj9RvvRhP7n2t1i43luNvL/PSSjnLByGYUwXuRMcYMwnMqZ0DRLc\nCbNHBcR7fvRCGkdgM7DQVSQctOi3dQutVoBQEQbt4m1Kq3AyelbDmpD95PYpVmUK\n0AHaOM73ojglE3CwOfq4U7tFWpcsA113w63O5ghkTw6mkG4clbuX7U8ALvFqm7CZ\ntj8IY+JVKaJ/upNRcn8dX4kn0cNchXbvLohYL/BW95JzO2UE/QNa5ocbkw3avDEc\nwdL5lgE48O4Loy9DFJs3LYruVxhCz/xpNTZmMy/IvURZxlq93bjg8wqFipNReWRC\nzQMy7VECgYEA5BjnXTI2X5aTZHyjb40Q+CVp6TRA6Zech2VTAm3EdFp+jaKQbZQa\nH25DYggi+ODPbIss8OgD/rqLDAo+C25mapFSZQL5325clwQLazJw+fgXRWZ1NS9H\nm1M1zSz2bHgLwQtBaJT7Cbo5dpVCLM0HPvuWOuf3vePpFWOWGo7HdI0CgYEAxdM/\nkyRTWm4S8iNCRyjjF6kMvHK5qMlQJvnQWE/+kL9BUVbhP5BoQi/2vgiNRfxor3gS\nRUI57HZAgQasbBMdTKb3x//kDHymt9xzM/yF2QwwmRIdWLrg1cmV+AipGONbQ/uS\nt0JlyGvf7WLNJFDAgH3tbwktIMlzSV81TzAhIp0CgYEA4LX4GMRC9OCuzCxOBrN+\nqDiTon8sA/Ss7GZR5O6mv8n3KymgB5QEODq0f3tsmKtBLbneyGaKqQS1v2LHxRM6\nKnqIJaNM72UWKmB9r1m+G0TiCCjsBz1Q2iCbvEozaqDJU6D3C0TaG7curThWPTSv\nksjgM6AbXSOOmNfHJNrMfHECgYEAph8hUfS9MkEhE8jcDVmeae4BzfYhRkXXUwOR\nG7gBM5gHx8BHYtNnWb1hXG9eAxlU55TS8uoMLi+XN0JdZFwgzI+hn4eY/4tljRxI\nea1i0MNVxBTcI/i6eYzQrPrI1SeHKm2F5PKS+lzsLDI9xnMxVDVrP0Tbap8AeurC\nn37xNFkCgYB9vmfOANzQpE6m6F314gUTwScDaryDQyhmorzh9wj2x3khyjRIhSE6\nczHymGSbj+PLowMcs1uMw0EHtcwBsxkdsu2A++t02VyCmJxRzmh7g2zaS6q55XQa\nzuIprgtzE/VpOkLLgx3jehrPm/2VmegdWT+jMypt5O6IDP6e8f9KMg==\n-----END RSA PRIVATE KEY-----\n"
payload = JWT.encode(claims, privatekey, 'RS256')
redirect "https://www.yourgitlab.com/users/auth/jwt/callback?jwt=#{payload}"
end
What is the current bug behavior?
Gitlab is not able to verify the signature of the jwt token and to authorize the user.
What is the expected correct behavior?
Gitlab can successfully verify the jwt token and authorize theuser.
Relevant logs and/or screenshots
==> /var/log/gitlab/production.log <==
Started GET "/users/auth/jwt/callback?jwt=eyJhbGciOiJSUzI1NiJ9.eyJpZCI6IjEyMyIsIm5hbWUiOiJtaWNoYWVsIiwiZW1haWwiOiJtaWtoYWlsLnRzeWdhbm92QHNhcC5jb20iLCJpYXQiOjE1Mzg3MzU4NzZ9.pKDIBik3gUxUdNwLj0OuyqaDAmiEydiphW2gYK3q1QFxhZZ185iGaBZg6MGuSoZCWJfIW0kns7h7ed2_DPzAfJUMZKfzxT5PKnrGxcWIwMxZXdvka4JlVog8JDQDuLYkAbFcmA749yXer3rML60r-YRyCVAHZnN8B5t6_LktSpqwTentSE6B2XHJbUbG76z0fy0GCKAwMUcNH_8ikSgY9MfUd1ZY3clr-_U5-3uCKTP_nnEcxMSoTQD7LpBn2Q9MZb7GfswPV-0b43sjt182CU44cAkpN3p8BOhaZBefExa7yo-0MORGh8PJE1Qu-E-mn8Zm4XIZ6V_Yx1mNBePfcQ" for 100.96.1.29 at 2018-10-05 10:37:56 +0000
NoMethodError (undefined method `verify' for #<String:0x00005567094eed80>):
lib/omni_auth/strategies/jwt.rb:38:in `decoded'
lib/omni_auth/strategies/jwt.rb:21:in `block in <class:Jwt>'
lib/omni_auth/strategies/jwt.rb:54:in `callback_phase'
lib/gitlab/middleware/multipart.rb:101:in `call'
lib/gitlab/request_profiler/middleware.rb:14:in `call'
ee/lib/gitlab/jira/middleware.rb:15:in `call'
lib/gitlab/middleware/go.rb:17:in `call'
lib/gitlab/etag_caching/middleware.rb:11:in `call'
lib/gitlab/middleware/rails_queue_duration.rb:22:in `call'
lib/gitlab/metrics/rack_middleware.rb:15:in `block in call'
lib/gitlab/metrics/transaction.rb:53:in `run'
lib/gitlab/metrics/rack_middleware.rb:15:in `call'
lib/gitlab/middleware/read_only/controller.rb:40:in `call'
lib/gitlab/middleware/read_only.rb:16:in `call'
lib/gitlab/middleware/basic_health_check.rb:25:in `call'
lib/gitlab/request_context.rb:18:in `call'
lib/gitlab/metrics/requests_rack_middleware.rb:27:in `call'
lib/gitlab/middleware/release_env.rb:10:in `call'
Possible fixes
in the file https://github.com/mbleigh/omniauth-jwt/blob/master/lib/omniauth/strategies/jwt.rb#L26 there should be extension of the jwt decoder function call for RSA algorithm
@decoded ||= ::JWT.decode(request.params['jwt'], OpenSSL::PKey::RSA.new(options.secret), true, options.algorithm)
Edited by Michael Tsyganov