Do not allow the "none" signing algorithm

For extra security disable the "none" algorithm if the server claims to support it. Whilst we are using code flow, it is not needed, but providers MUST support RS256 so there would always be a more secure option we can use.
jenkinsci · Oct 8, 2024 · 7116a7b · 7116a7b
1 parent a594a27
commit 7116a7b
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java b/src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java
@@ -1,5 +1,7 @@
 package org.jenkinsci.plugins.oic;
 
+import com.nimbusds.jose.Algorithm;
+import com.nimbusds.jose.JWSAlgorithm;
 import com.nimbusds.jose.util.ResourceRetriever;
 import com.nimbusds.oauth2.sdk.ParseException;
 import com.nimbusds.oauth2.sdk.Scope;
@@ -124,7 +126,13 @@ public OIDCProviderMetadata toProviderMetadata() {
                     _oidcProviderMetadata.setTokenEndpointAuthMethods(filteredEndpointAuthMethods);
                 }
             }
-
+            // do not allow the "none" singing algorithm for security
+            List<JWSAlgorithm> idTokenJWSAlgs = _oidcProviderMetadata.getIDTokenJWSAlgs();
+            if (idTokenJWSAlgs != null && idTokenJWSAlgs.contains(Algorithm.NONE)) {
+                ArrayList<JWSAlgorithm> _idTokenJWSAlgs = new ArrayList<>(idTokenJWSAlgs);
+                _idTokenJWSAlgs.remove(Algorithm.NONE);
+                _oidcProviderMetadata.setIDTokenJWSAlgs(_idTokenJWSAlgs);
+            }
             oidcProviderMetadata = _oidcProviderMetadata;
             // we have no access to the HTTP Headers to be able to find a expirey headers.
             // for now use the default expirey of 1hr.