Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: Considering add HS256 signature algorithm support? #21392

Open
shikiroot opened this issue Jan 8, 2025 · 1 comment
Open

OIDC: Considering add HS256 signature algorithm support? #21392

shikiroot opened this issue Jan 8, 2025 · 1 comment
Assignees
@reasonerjt
Labels
area/oidc help wanted The issues that is valid but needs help from community kind/requirement New feature or idea on top of harbor

Comments

@shikiroot
Copy link

There are lots of private OIDC providers still using HS256 signature algorithm (such as company I'm working for).

Whether to consider add support for HS256 signature algorithm?

Related harbor-core logs:

[ERROR] [/lib/http/error.go:57]: {"errors":[{"code":"INTERNAL_SERVER_ERROR","message":"oidc: malformed jwt: go-jose/go-jose: unexpected signature algorithm \"HS256\"; expected [\"RS256\"]"}]}
/harbor/src/lib/http/error.go:85, github.com/goharbor/harbor/src/lib/http.apiError
/harbor/src/lib/http/error.go:54, github.com/goharbor/harbor/src/lib/http.SendError
/harbor/src/common/api/base.go:74, github.com/goharbor/harbor/src/common/api.(*BaseAPI).RenderError
/harbor/src/common/api/base.go:232, github.com/goharbor/harbor/src/common/api.(*BaseAPI).SendInternalServerError
/harbor/src/core/controllers/oidc.go:125, github.com/goharbor/harbor/src/core/controllers.(*OIDCController).Callback
/usr/local/go/src/reflect/value.go:581, reflect.Value.call
/usr/local/go/src/reflect/value.go:365, reflect.Value.Call
/go/pkg/mod/github.com/beego/beego/[email protected]/server/web/router.go:1234, github.com/beego/beego/v2/server/web.(*ControllerRegister).serveHttp
/go/pkg/mod/github.com/beego/beego/[email protected]/server/web/filter.go:83, github.com/beego/beego/v2/server/web.(*FilterRouter).filter
/go/pkg/mod/github.com/beego/beego/[email protected]/server/web/router.go:1003, github.com/beego/beego/v2/server/web.(*ControllerRegister).ServeHTTP
/harbor/src/server/middleware/middleware.go:52, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.New.func22.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/security/security.go:75, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.UnauthorizedMiddleware.func10
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.UnauthorizedMiddleware.New.func19.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/security/security.go:62, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func9
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func18.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/artifactinfo/artifact_info.go:62, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func8.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/middleware.go:52, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func17.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/notification/notification.go:31, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func6
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func16.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/orm/orm.go:54, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.func15
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.MiddlewareWithConfig.New.func21.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/csrf/csrf.go:62, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.func2.attach.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/go/pkg/mod/github.com/gorilla/[email protected]/csrf.go:306, github.com/gorilla/csrf.(*csrf).ServeHTTP
/harbor/src/server/middleware/csrf/csrf.go:82, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.func2
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/server/middleware/csrf.Middleware.New.func3.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/session/session.go:35, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func5.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/log/log.go:43, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func4
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func14.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/requestid/requestid.go:46, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func3
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func13.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/metric/metric.go:74, github.com/goharbor/harbor/src/server/middleware/metric.transparentHandler.func1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/trace/trace.go:28, github.com/goharbor/harbor/src/server/middleware/trace.traceHandler.func1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/mergeslash/mergeslash.go:31, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func2
/harbor/src/server/middleware/middleware.go:57, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.New.func12.1
/usr/local/go/src/net/http/server.go:2220, net/http.HandlerFunc.ServeHTTP
/harbor/src/server/middleware/url/parse.go:36, github.com/goharbor/harbor/src/core/middlewares.MiddleWares.Middleware.func1
@wy65701436 wy65701436 added area/oidc kind/requirement New feature or idea on top of harbor labels Jan 8, 2025
@reasonerjt
Copy link
Contributor

Harbor's just using the default sig algorithm of "go-oidc", which is "RS256", and have not heard such requirement for years.

Making it support "HS256" seems do-able, but I don't think I have an env to test.
If you can make the change and verify in your env I'll be happy to review the PR.

@reasonerjt reasonerjt added the help wanted The issues that is valid but needs help from community label Jan 13, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@reasonerjt reasonerjt

Labels
area/oidc help wanted The issues that is valid but needs help from community kind/requirement New feature or idea on top of harbor
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@reasonerjt @wy65701436 @shikiroot