FusionAuth
    • Home
    • Categories
    • Recent
    • Popular
    • Pricing
    • Contact us
    • Docs
    • Login

    Restrict issuer when using "External JWT" identity provider

    Scheduled Pinned Locked Moved Unsolved
    Q&A
    2
    4
    3.3k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      whuysentruit
      last edited by

      The "External JWT" identity provider, allows us to authenticate against an application using an external JWT. As far as I can see, the only way to allow/disallow external JWTs on this "External JWT" identity provider is whether or not the kid is known in the Key Master configuration.

      I can't seem to find a way to restrict a certain external issuer to a certain "External JWT" identity provider which is problematic if we have multiple applications with different relying-parties.

      For example:

      "External JWT IdP A" is linked to "Application A"
      "External JWT IdP B" is linked to "Application B"
      on "Application A" we want to allow external JWTs of Issuer 1, with kid X.
      on "Application B" we want to allow external JWTs of Issuer 2, with kid Y.

      But since both kids are known in Key Master, both External JWT IdPs will accept any JWT, doesn't matter if it's kid X or Y. Is there a way to restrict this (f.e. link specific signing key to specific external IdP or validate the iss field in the external JWT)? As currently this is a major security issue for us.

      danD 1 Reply Last reply Reply Quote 1
      • danD
        dan @whuysentruit
        last edited by

        @whuysentruit

        Hmmm.

        One option to explore would be using a custom lambda for each IdP, and setting an custom value (iss_unexpected) on the user/registration if the issuer is not what you expect. Then you could pull the value from the user/registration and set it in the JWT issued by FusionAuth, and have your application check it.

        I don't see any way to accomplish this using the standard options.

        --
        FusionAuth - Auth for devs, built by devs.
        https://fusionauth.io

        W 1 Reply Last reply Reply Quote 0
        • W
          whuysentruit @dan
          last edited by

          @dan thanks for your answer.

          I believe it should be possible to add this restriction in FusionAuth by configuration, as it presents a security issue for integrations using more than one External JWT. And as FusionAuth is multi-tenant, this could seriously go wrong.

          What I would like to propose, is that the setting Default verification key is changed into Verification key. If the token contains a kid, it must match with what is configured there and the signature must be correct. If the token does not contain a kid, the signature must be correct according to the key selected there. Is this the correct place to request such feature?

          6e5ba52f-ddba-4c1f-a763-695650689fba-image.png

          danD 1 Reply Last reply Reply Quote 0
          • danD
            dan @whuysentruit
            last edited by

            @whuysentruit

            Sure, we welcome feature requests from the community! Members can upvote them and we review the upvotes when considering future development.

            Here's the GitHub repo to file the issue in: https://github.com/FusionAuth/fusionauth-issues/issues/

            Please feel free to reference this forum post and give as many details as you can. This helps us understand the use case.

            More about our roadmap process: https://fusionauth.io/docs/operate/roadmap/roadmap

            --
            FusionAuth - Auth for devs, built by devs.
            https://fusionauth.io

            1 Reply Last reply Reply Quote 0
            • First post
              Last post