oidc: verify the ID Token's signature before processing claims #464
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This change updates the verification logic of this library to first validate the ID Token instead of parsing claims. This hopefully makes it harder for a malicious client to provide an invalid token for validation that's crafted to cause this package to over-allocate memory. See the associated bug and CVE-2025-27144. Fixes coreos#463
|
Can you publish an advisory at https://github.com/coreos/go-oidc/security ? |
ericchiang
added a commit
to ericchiang/go-oidc
that referenced
this pull request
Aug 2, 2025
This change updates the verification logic of this library to always verify the signature of the token before validating the payload. See associated issue. coreos#464
ericchiang
added a commit
to ericchiang/go-oidc
that referenced
this pull request
Aug 2, 2025
This change updates the verification logic of this library to always verify the signature of the token before validating the payload. See associated issue. coreos#464
ericchiang
added a commit
that referenced
this pull request
Aug 2, 2025
This change updates the verification logic of this library to always verify the signature of the token before validating the payload. See associated issue. #464
atoulme
pushed a commit
to open-telemetry/opentelemetry-collector-contrib
that referenced
this pull request
Aug 6, 2025
…41694) <!--Ex. Fixing a bug - Describe the bug and how this fixes the issue. Ex. Adding a feature - Explain what this achieves.--> #### Description - Upgrades go-oidc to include [this ](coreos/go-oidc#464 - Removes the custom JWT parsing code and replaces it with an equivalent function from go-jose. <!-- Issue number (e.g. #1234) or full URL to issue, if applicable. --> #### Link to tracking issue Fixes #41556. <!--Describe what testing was performed and which tests were added.--> #### Testing I'm relying on existing unit tests.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change updates the verification logic of this library to first validate the ID Token instead of parsing claims. This hopefully makes it harder for a malicious client to provide an invalid token for validation that's crafted to cause this package to over-allocate memory. See the associated bug and CVE-2025-27144.
Fixes #463