Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Webhook Connector] Handle missing ALG key in JWT Auth #3794

Closed
johnBgood opened this issue Dec 13, 2024 · 2 comments · Fixed by #3845
Closed

[Webhook Connector] Handle missing ALG key in JWT Auth #3794

johnBgood opened this issue Dec 13, 2024 · 2 comments · Fixed by #3845
Assignees
@mathias-vandaele
Labels
backport release/8.6 kind:bug Something isn't working support Support ticket

Comments

@johnBgood
Copy link
Collaborator

johnBgood commented Dec 13, 2024
edited by kam-uddin
Loading

Support issue
https://jira.camunda.com/browse/SUPPORT-24829
https://jira.camunda.com/browse/SUPPORT-25323

Describe the Bug

The alg key is optional in the JWK Specification. Currently, we expect this key to be there or it throws an NPE.

This works with Keycloak as the alg key is present, but with Entra for instance it might not work.

The fix should be backported to 8.6.

Steps to Reproduce

  1. Use EntraID
  2. Use a Webhook StartEvent with JWT Auth
  3. Send a request
  4. A 500 error is returned

Expected Behavior

A 200 response should be returned as usual.
@johnBgood johnBgood added kind:bug Something isn't working support Support ticket labels Dec 13, 2024
@sbuettner
Copy link
Contributor

More information was requested in the incident slack channel: https://camunda.slack.com/archives/C083JMZGUS2/p1734344977153109

@sbuettner
Copy link
Contributor

sbuettner commented Dec 23, 2024
edited
Loading

The Connector should use the alg value which is part of the JWT headers as a fallback:

{
  "typ": "JWT",
  "alg": "RS256",
  "x5t": "...",
  "kid": "..."
}

@sbuettner sbuettner changed the title [Webhook Connecotr] Handle missing ALG key in JWT Auth [Webhook Connector] Handle missing ALG key in JWT Auth Dec 23, 2024
@mathias-vandaele mathias-vandaele mentioned this issue Jan 13, 2025
Merged
1 task
@mathias-vandaele mathias-vandaele linked a pull request Jan 13, 2025 that will close this issue
feat(authentication-webhook): change way to retrieve algorithm, more … #3845
Merged
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mathias-vandaele mathias-vandaele

Labels
backport release/8.6 kind:bug Something isn't working support Support ticket
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(authentication-webhook): change way to retrieve algorithm, more … camunda/connectors
3 participants
@sbuettner @johnBgood @mathias-vandaele