How to get more info about invalid JWT algorithm

stefandv · June 10, 2020, 1:27pm

I service is throwing “Invalid algorithm ‘HS256’, expected ‘RS256’” from:

ServiceStack/ServiceStack/blob/master/src/ServiceStack/Auth/JwtAuthProviderReader.cs#L541


    var payloadBytes = payload.FromBase64UrlSafe();


    var headerData = headerJson.FromJson<Dictionary<string, string>>();


    var bytesToSign = string.Concat(header, ".", payload).ToUtf8Bytes();


    var algorithm = headerData["alg"];


    //Potential Security Risk for relying on user-specified algorithm: https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
    if (RequireHashAlgorithm && algorithm != HashAlgorithm)
        throw new NotSupportedException($"Invalid algorithm '{algorithm}', expected '{HashAlgorithm}'");


    if (!VerifyPayload(req, algorithm, bytesToSign, signatureBytes))
        return null;


    var payloadJson = payloadBytes.FromUtf8Bytes();
    var jwtPayload = JsonObject.Parse(payloadJson);
    return jwtPayload;
}
if (parts.Length == 5) //Encrypted JWE Token
{

Is there a way I can handle this, in that sense, I can log the original request so I can see what’s really inside the request itself. It’s a service called by a third party and 99.9% of the calls are OK, but sometimes these errors I get in my log, but cannot see what’s really inside.

Where should I try to hook for this exception thrown so that I can log the original request?
Thanks.

mythz · June 10, 2020, 1:32pm

You could inspect the request with a IAppHost.PreRequestFilters, otherwise you can always inherit from JwtAuthProvider and override that GetVerifiedJwtPayload() method to inspect the it before calling base.

stefandv · June 11, 2020, 11:41am

With the PreRequestFilters I was able to log the fact that the web hook is posting (sometimes) and Authorization header with a Bearer token that is not known to us. The call itself is not protected, and in the end the call is processed, only there is a Error in GetSession() when ApplyPreAuthenticateFilters error in my logs.
I tried to remove the header in the PreRequestFilters but I cannot modify the header it seems.
Any other suggestion besides creation my own JwtAuthProvider?
Would it be better that SS does not process the authorization header if the service is not marked with the auth attribute?

mythz · June 11, 2020, 12:18pm

You can’t modify the framework’s .NET Request / Response directly but you can override the Authorization used with:

req.Items[Keywords.Authorization] = ....;

As long as it’s not a 3-part . or 5-part JWT Token the JWT Auth Provider should ignore it.

ServiceStack always needs to execute the PreRequestFilters if calling GetSession() in order to populate the session, your code can choose not to call GetSession() after inspecting the Request.

stefandv · June 11, 2020, 5:30pm

I tried that, setting it to null but still tries to validate because of the header. Thing is that the GetSession is in a base class and the check IsAuthenticated is called (underlying this is doing a GetSession); furthermore an ORMLite hook when updating is using the GetSession to see whether we have a user or not to save as updatedUser…
So I am affraid that I need to subclass the JwtAuthProvider then to override the complete method and not throwing the Exception

mythz · June 11, 2020, 5:40pm

Setting it to null doesn’t override it, you need to set it to something that’s not a 3-part or 5-part JWT/JWE Key, e.g. Bearer ignore

stefandv · June 11, 2020, 5:51pm

Okay! That did the trick!
Thx!