OpenID Connect: Undefined array key "use" when JWK missing the optional use key

[107142]

Describe the Bug

When filtering the JWK keys the function filterKey in OidcProviderSettings.php expects the key use to be present with the sig value. Which I assume is because encryption is not supported.

Problem here is that the use key is optional according to the RFC (although the wording is quite ambiguous) and our OIDC provider does not have it resulting in a crash during parsing and and error exception:

Undefined array key "use"

#0 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(169): Illuminate\Foundation\Bootstrap\HandleExceptions->handleError(2, 'Undefined array...', '/var/www/bookst...', 169)
#1 [internal function]: BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}(Array)
#2 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(170): array_filter(Array, Object(Closure))
#3 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(155): BookStack\Auth\Access\Oidc\OidcProviderSettings->filterKeys(Array)
#4 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(116): BookStack\Auth\Access\Oidc\OidcProviderSettings->loadSettingsFromIssuerDiscovery(Object(GuzzleHttp\Client))
#5 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cache/Repository.php(391): BookStack\Auth\Access\Oidc\OidcProviderSettings->BookStack\Auth\Access\Oidc\{closure}()
#6 /var/www/bookstack/app/Auth/Access/Oidc/OidcProviderSettings.php(117): Illuminate\Cache\Repository->remember('oidc-discovery:...', 900, Object(Closure))
#7 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(108): BookStack\Auth\Access\Oidc\OidcProviderSettings->discoverFromIssuer(Object(GuzzleHttp\Client), Object(Illuminate\Cache\Repository), 15)
#8 /var/www/bookstack/app/Auth/Access/Oidc/OidcService.php(53): BookStack\Auth\Access\Oidc\OidcService->getProviderSettings()
#9 /var/www/bookstack/app/Http/Controllers/Auth/OidcController.php(29): BookStack\Auth\Access\Oidc\OidcService->login()
#10 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Controller.php(54): BookStack\Http\Controllers\Auth\OidcController->login()
#11 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/ControllerDispatcher.php(45): Illuminate\Routing\Controller->callAction('login', Array)
#12 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(262): Illuminate\Routing\ControllerDispatcher->dispatch(Object(Illuminate\Routing\Route), Object(BookStack\Http\Controllers\Auth\OidcController), 'login')
#13 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Route.php(205): Illuminate\Routing\Route->runController()
#14 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(721): Illuminate\Routing\Route->run()
#15 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Routing\Router->Illuminate\Routing\{closure}(Object(BookStack\Http\Request))
#16 /var/www/bookstack/app/Http/Middleware/CheckGuard.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#17 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckGuard->handle(Object(BookStack\Http\Request), Object(Closure), 'oidc')
#18 /var/www/bookstack/app/Http/Middleware/Localization.php(45): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#19 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\Localization->handle(Object(BookStack\Http\Request), Object(Closure))
#20 /var/www/bookstack/app/Http/Middleware/RunThemeActions.php(26): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#21 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\RunThemeActions->handle(Object(BookStack\Http\Request), Object(Closure))
#22 /var/www/bookstack/app/Http/Middleware/CheckEmailConfirmed.php(47): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#23 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\CheckEmailConfirmed->handle(Object(BookStack\Http\Request), Object(Closure))
#24 /var/www/bookstack/app/Http/Middleware/PreventAuthenticatedResponseCaching.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#25 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\PreventAuthenticatedResponseCaching->handle(Object(BookStack\Http\Request), Object(Closure))
#26 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/VerifyCsrfToken.php(78): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#27 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\VerifyCsrfToken->handle(Object(BookStack\Http\Request), Object(Closure))
#28 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/View/Middleware/ShareErrorsFromSession.php(49): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#29 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\View\Middleware\ShareErrorsFromSession->handle(Object(BookStack\Http\Request), Object(Closure))
#30 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(121): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#31 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Session/Middleware/StartSession.php(64): Illuminate\Session\Middleware\StartSession->handleStatefulRequest(Object(BookStack\Http\Request), Object(Illuminate\Session\Store), Object(Closure))
#32 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Session\Middleware\StartSession->handle(Object(BookStack\Http\Request), Object(Closure))
#33 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/AddQueuedCookiesToResponse.php(37): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#34 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse->handle(Object(BookStack\Http\Request), Object(Closure))
#35 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Cookie/Middleware/EncryptCookies.php(67): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#36 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Cookie\Middleware\EncryptCookies->handle(Object(BookStack\Http\Request), Object(Closure))
#37 /var/www/bookstack/app/Http/Middleware/ApplyCspRules.php(33): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#38 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\ApplyCspRules->handle(Object(BookStack\Http\Request), Object(Closure))
#39 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#40 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(723): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#41 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(698): Illuminate\Routing\Router->runRouteWithinStack(Object(Illuminate\Routing\Route), Object(BookStack\Http\Request))
#42 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(662): Illuminate\Routing\Router->runRoute(Object(BookStack\Http\Request), Object(Illuminate\Routing\Route))
#43 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Routing/Router.php(651): Illuminate\Routing\Router->dispatchToRoute(Object(BookStack\Http\Request))
#44 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(167): Illuminate\Routing\Router->dispatch(Object(BookStack\Http\Request))
#45 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(128): Illuminate\Foundation\Http\Kernel->Illuminate\Foundation\Http\{closure}(Object(BookStack\Http\Request))
#46 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Http/Middleware/TrustProxies.php(39): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#47 /var/www/bookstack/app/Http/Middleware/TrustProxies.php(41): Illuminate\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure))
#48 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): BookStack\Http\Middleware\TrustProxies->handle(Object(BookStack\Http\Request), Object(Closure))
#49 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TransformsRequest.php(21): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#50 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/TrimStrings.php(40): Illuminate\Foundation\Http\Middleware\TransformsRequest->handle(Object(BookStack\Http\Request), Object(Closure))
#51 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\TrimStrings->handle(Object(BookStack\Http\Request), Object(Closure))
#52 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/ValidatePostSize.php(27): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#53 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\ValidatePostSize->handle(Object(BookStack\Http\Request), Object(Closure))
#54 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Middleware/PreventRequestsDuringMaintenance.php(86): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#55 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(167): Illuminate\Foundation\Http\Middleware\PreventRequestsDuringMaintenance->handle(Object(BookStack\Http\Request), Object(Closure))
#56 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Pipeline/Pipeline.php(103): Illuminate\Pipeline\Pipeline->Illuminate\Pipeline\{closure}(Object(BookStack\Http\Request))
#57 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(142): Illuminate\Pipeline\Pipeline->then(Object(Closure))
#58 /var/www/bookstack/vendor/laravel/framework/src/Illuminate/Foundation/Http/Kernel.php(111): Illuminate\Foundation\Http\Kernel->sendRequestThroughRouter(Object(BookStack\Http\Request))
#59 /var/www/bookstack/public/index.php(53): Illuminate\Foundation\Http\Kernel->handle(Object(BookStack\Http\Request))
#60 {main}

Steps to Reproduce

1. Connect BookStack with OpenID Connect that does not have use key present in the jwks endpoint
2. Set OIDC_ISSUER_DISCOVER to true
3. Attempt to log-in

Expected Behaviour

Absence of the use key should not necessarily result in an exception. Maybe a warning?

Screenshots or Additional Context

No response

Browser Details

Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Exact BookStack Version

v22.10.2

PHP Version

8.1.12

Hosting Environment

Rancher Kubernetes

Docker image: solidnerd/bookstack:latest

Clean install

[ssddanbrown]

Thanks for the clear report @107142. To add, the OIDC discovery spec states:

This contains the signing key(s) the RP uses to validate signatures from the OP. The JWK Set MAY also contain the Server's encryption key(s), which are used by RPs to encrypt requests to the Server. When both signing and encryption keys are made available, a use (Key Use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage. Although some algorithms allow the same key to be used for both signatures and encryption, doing so is NOT RECOMMENDED, as it is less secure.

Agreed that this should not cause an exception on check, but not totally sure how to handle missing use parameters. Options:

• As advised, show a warning.
  • Will be a little annoying to record and report such warnings unless we'd be happy for them to block further processing of additional potentially fully-defined keys.
• Simply ignore keys without a use.
  • Might cause frustration in scenarios where the user is expecting the key to be used but bookstack is not finding any valid keys, and not reporting the skipping of such a key.
• Assume such keys to be available for signing use.
  • Hard to understand if this could be valid usage. The JWK spec does not specify a default. The OIDC discovery text, as quoted above, does make it sound like non-use keys would be considered signing keys, since the jwks containing encryption keys is stated as MAY and, in that case, the use param is required. So sounds like we could correctly state keys without use to be signing keys.
• Assume such keys to be available for signing use, but demote them over keys with use set.

Based on the OIDC discovery spec, I'm thinking that the third option would be fine while also being super simple. Would be good to understand this against your real-world use-case. Would you be able to share the data of your jwks_uri? (URL found when viewing your <issuer>/.well-known/openid-configuration url). Of course anonymise/hide any values but I'd just like to see how the options would fit against your actual scenario, since I have not come across an OIDC system that causes this.

[107142]

Hey,
I have since talked with the guys responsible for our IdP and the missing use key will be added, "fixing" the issue for me.
You can look at the jwks_uri if you want.

Assume such keys to be available for signing use.

I kinda like this one the most and understand it the same you do: unless stated otherwise, without the use present, keys are to be considered signing keys.
It would also seem to me that this is commonly used in the wild and it would make it compatible with the RFC (well within reason, those RFC are seriously not all that clear).

[ssddanbrown]

Thanks for the extra detail and confirmation of this logic @107142.
I have now updated the logic in e20c944 to assume that lack of use is treated as sig, and added a test to cover this scenario.

Will be part of the next feature release.

[107142]

Thank you for a speedy fix @ssddanbrown. Much appreciated.