Decrypt JWE from openid connect /userinfo endpoint .net framework

by

Summary

The issue at hand is the failure to decrypt a JSON Web Encryption (JWE) token received from the /userinfo endpoint of France Connect Plus using a private key in a .NET Framework 4.7 application with C# 5. The decryption process fails with a SecurityTokenDecryptionFailedException, indicating that no keys were tried for decryption.

Root Cause

The root cause of this issue lies in the incorrect configuration of the TokenValidationParameters and the TokenDecryptionKeyResolver. Specifically:

  • The TokenDecryptionKeyResolver is not correctly resolving the decryption key.
  • The ValidateIssuer, ValidateAudience, and ValidateLifetime properties are set to false, which may not be the intended behavior.
  • The RequireSignedTokens property is set to false, which may also not be the intended behavior.

Why This Happens in Real Systems

This issue can occur in real systems due to:

  • Misconfiguration of the token validation parameters
  • Incorrect implementation of the token decryption key resolver
  • Incompatibility between the encryption and decryption algorithms
  • Issues with the private key used for decryption

Real-World Impact

The impact of this issue can be significant, including:

  • Failure to authenticate users
  • Inability to access protected resources
  • Security vulnerabilities due to incorrect token validation

Example or Code (if necessary and relevant)

var jwkJson = // private key
var decryptionKey = CreateRsaKeyFromJwk(jwkJson);
var handler = new JwtSecurityTokenHandler { MapInboundClaims = false };
var validationParameters = new TokenValidationParameters 
{
    ValidateIssuer = true,
    ValidateAudience = true,
    ValidateLifetime = true,
    TokenDecryptionKeyResolver = (token, securityToken, kid, parameters) => 
    {
        return new[] { decryptionKey };
    },
    RequireSignedTokens = true,
    ValidateIssuerSigningKey = true,
    SignatureValidator = (token, parameters) => 
    {
        return new JwtSecurityToken(token);
    }
};
SecurityToken validatedToken;
var principal = handler.ValidateToken(encryptedUserInfo, validationParameters, out validatedToken);

How Senior Engineers Fix It

Senior engineers can fix this issue by:

  • Correctly configuring the TokenValidationParameters
  • Implementing a correct TokenDecryptionKeyResolver
  • Ensuring compatibility between the encryption and decryption algorithms
  • Verifying the private key used for decryption
  • Thoroughly testing the token validation and decryption process

Why Juniors Miss It

Junior engineers may miss this issue due to:

  • Lack of understanding of JSON Web Encryption (JWE) and JSON Web Tokens (JWT)
  • Inexperience with token validation and decryption
  • Insufficient testing of the token validation and decryption process
  • Failure to thoroughly review the code and configuration
  • Not considering security best practices when implementing token validation and decryption

Leave a Comment