Comments (18)
Sleuth56
commented on June 7, 2024
I ran into this issue as well on the latest version of Immich v1.93.3. I'm not sure why this issue is closed.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I ran into this issue as well on the latest version of Immich v1.93.3. I'm not sure why this issue is closed.
I closed it myself because I thought it is a very minor one, or rather a feature request. Most likely if you own your identity server you can probably specify its algorithm with some kind of configuration. Which server do you use?
from immich.
Sleuth56
commented on June 7, 2024
Defguard. I've talked with the devs and they are going to add that feature in a future release.
I'm not super familiar with OIDC but from what I've been reading it seems like RSA and HS are both very common signing algorithms. And I'm pretty sure RSA has some benefits over HS.
There is a discussion around this in the initial PR and it looks like this was initially going to be supported however there were some technical hurtles that delayed it and the PR was merged before that part was finished.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
Defguard. I've talked with the devs and they are going to add that feature in a future release. I'm not super familiar with OIDC but from what I've been reading it seems like RSA and HS are both very common signing algorithms. And I'm pretty sure RSA has some benefits over HS. There is a discussion around this in the initial PR and it looks like this was initially going to be supported however there were some technical hurtles that delayed it and the PR was merged before that part was finished.
I reopen this issue and let the developer to figure it out. But I guess they would prefer you to open a discussion thread.
from immich.
jrasm91
commented on June 7, 2024
What exactly is needed to be changed to enable these other algorithms? Can you provide some details about the needed changes if possible.
from immich.
Sleuth56
commented on June 7, 2024
@jrasm91 I only read this thread. I'm not sure otherwise. #884 (comment) I see that OAUTH_TOKEN_RESPONSE_ALG was going to be used to allow the server admin to set what signing algorithm to use but that isn't in the code anymore.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
What exactly is needed to be changed to enable these other algorithms? Can you provide some details about the needed changes if possible.
Could you please check /server/src/domain/auth/auth.service.ts Line 340? I am not very familiar with the ts openid client library but I highly suspect that this is what should be changed.
from immich.
jrasm91
commented on June 7, 2024
@TheLonelinessOfHS this only applies to HS256.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
@TheLonelinessOfHS this only applies to HS256.
That's the problem. The default is RS256 and it is only changed when you discover HS256(in the if statement). I think it should be a list of possible supported algorithms or just remove the if instead of hs 256 alone.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
@jrasm91 I only read this thread. I'm not sure otherwise. #884 (comment) I see that
OAUTH_TOKEN_RESPONSE_ALGwas going to be used to allow the server admin to set what signing algorithm to use but that isn't in the code anymore.
Forgot to ask what is the algorithm you are using? From the code I think it should support HS256. Code you please show me the error message?
from immich.
jrasm91
commented on June 7, 2024
I believe it should infer the algorithm automatically. Maybe you can give me instructions to configure an algorithm that doesn't work and then I can take a look.
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I believe it should infer the algorithm automatically. Maybe you can give me instructions to configure an algorithm that doesn't work and then I can take a look.
Below are examples to illustrate my idea. I don't guarantee they will work as I don't want to build the project myself and I am not very familiar with the library
Using ES384 as an example, as I posted above in the error message
// supports 'HS256', 'ES384' and the default RS256
if (['HS256', 'ES384'].contains(algorithms[0])) { // ['HS256', 'ES384'] is a whitelist. It might include all widely used and secure algorithms
metadata.id_token_signed_response_alg = algorithms[0];
}
return new issuer.Client(metadata);
// supports 'HS256', 'ES384' BUT NOT RS256
if (['HS256', 'ES384'].contains(algorithms[0])) { // ['HS256', 'ES384'] is a whitelist
metadata.id_token_signed_response_alg = algorithms[0];
return new issuer.Client(metadata);
}
// throw some algorithm not supported message here
One thing to consider is why we are using algorithms[0] here? Can the algorithms array discovered contain more than one? I am not familar with the library so that I cannot say
from immich.
jrasm91
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
Oh sorry I thought you were talking about the code. I am using logto.io instead of these identity providers. However, I think https://github.com/authelia/authelia/issues/4127 might be helpful. Anyway I think anything other than RS256 and HS256 will trigger the error.
from immich.
Sleuth56
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
Defguard when configured with an RSA file which is the recommended config will produce an error because it tries to use RS256. Their install script sets up the server to use RSA. It's not hard to stand up a test env with it.
Here is the full error message from Immich if that is helpful.
immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256
immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13)
immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60)
immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18)
immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24)
immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25)
immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] Failed to finish oauth
immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256
immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13)
immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60)
immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18)
immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24)
immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25)
immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] RPError: unexpected JWT alg received, expected HS256, got: RS256
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
Defguard when configured with an RSA file which is the recommended config will produce an error because it tries to use RS256. Their install script sets up the server to use RSA. It's not hard to stand up a test env with it.
Here is the full error message from Immich if that is helpful.
immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] Failed to finish oauth immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] RPError: unexpected JWT alg received, expected HS256, got: RS256
From this I highly suspect that the discovery process got an array of supported algorithms and only algorithms[0] is used. BTW I remember that metadata.id_token_signed_response_alg can take an array?
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
Defguard when configured with an RSA file which is the recommended config will produce an error because it tries to use RS256. Their install script sets up the server to use RSA. It's not hard to stand up a test env with it.
Here is the full error message from Immich if that is helpful.immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] Failed to finish oauth immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] RPError: unexpected JWT alg received, expected HS256, got: RS256From this I highly suspect that the discovery process returned an array of multiple supported algorithms (because of the identity server) and only algorithms[0] is used. BTW I remember that metadata.id_token_signed_response_alg can take an array?
from immich.
TheLonelinessOfHS
commented on June 7, 2024
I was asking more about the configuration for authenkit or authelia on the oauth server side. What does the client configuration look like that doesn't work with immich?
Defguard when configured with an RSA file which is the recommended config will produce an error because it tries to use RS256. Their install script sets up the server to use RSA. It's not hard to stand up a test env with it.
Here is the full error message from Immich if that is helpful.immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] Failed to finish oauth immich_server | [Nest] 7 - 01/25/2024, 1:23:38 AM ERROR [RPError: unexpected JWT alg received, expected HS256, got: RS256 immich_server | at Client.validateJWT (/usr/src/app/node_modules/openid-client/lib/client.js:911:13) immich_server | at Client.validateIdToken (/usr/src/app/node_modules/openid-client/lib/client.js:766:60) immich_server | at Client.callback (/usr/src/app/node_modules/openid-client/lib/client.js:505:18) immich_server | at process.processTicksAndRejections (node:internal/process/task_queues:95:5) immich_server | at async AuthService.getOAuthProfile (/usr/src/app/dist/domain/auth/auth.service.js:225:24) immich_server | at async AuthService.callback (/usr/src/app/dist/domain/auth/auth.service.js:167:25) immich_server | at async OAuthController.finishOAuth (/usr/src/app/dist/immich/controllers/oauth.controller.js:39:38)] RPError: unexpected JWT alg received, expected HS256, got: RS256From this I highly suspect
I believe it should infer the algorithm automatically. Maybe you can give me instructions to configure an algorithm that doesn't work and then I can take a look.
Below are examples to illustrate my idea. I don't guarantee they will work as I don't want to build the project myself and I am not very familiar with the library Using ES384 as an example, as I posted above in the error message // supports 'HS256', 'ES384' and the default RS256 if (['HS256', 'ES384'].contains(algorithms[0])) { // ['HS256', 'ES384'] is a whitelist. It might include all widely used and secure algorithms metadata.id_token_signed_response_alg = algorithms[0]; }
return new issuer.Client(metadata);
// supports 'HS256', 'ES384' BUT NOT RS256 if (['HS256', 'ES384'].contains(algorithms[0])) { // ['HS256', 'ES384'] is a whitelist metadata.id_token_signed_response_alg = algorithms[0]; return new issuer.Client(metadata); } // throw some algorithm not supported message here
One thing to consider is why we are using algorithms[0] here? Can the algorithms array discovered contain more than one? I am not familar with the library so that I cannot say
Why not just write metadata.id_token_signed_response_alg = algorithm here? If you want to ensure the validity of results just use a filter or something
from immich.
Related Issues (20)
- Timeline of the iOS app not showing all photos when 'Recents' is selected as a backup album and the app is allowed to access all photos in library. HOT 3
- Android app doesn't show images on Server HOT 2
- Change Date/Datetime - Bad Usabillity HOT 10
- Restore photo's creation date to the original one HOT 1
- Unable to login using Android and iOS phones HOT 2
- FACE DETECTION and FACIAL RECOGNITION fail after updating to v1.93.3 HOT 5
- Android app crash and exit to login page HOT 2
- Upload a duplicate of a trashed element doesn't untrash it HOT 2
- iOS: "x years since" images/memories are low quality HOT 2
- PERF: switch from typescript-axios to typescript-fetch OpenAPI Generator HOT 3
- Loading subpath /photos results in an error
- CLI Upload is getting slower and slower, depends on Album size HOT 4
- Web timeline shows photos as one day in the future but matadata has todays date. HOT 3
- Insta360 Panoramic Photos not dispayed correctly HOT 5
- Background upload not working for me on IOS 16.5 HOT 4
- Background backup throws error when proxypassed HOT 1
- Change date and time HOT 3
- [Web] Storage quota is higher than possible HOT 9
- Web UI handling of duplicate library import paths HOT 1
- Trashing Selected Images Does Not Remove Header On Screen (Desktop) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from immich.