Mitigate replay of modified JWT from Passport-JS

The issue seems to be in the way that passport communicates the completion of sign-in back to oxAuth when a user logs into a third party provider. The provider sends a saml assertion back to passport, and then passport sends a post with a JWT to oxAuth to assert that the authentication has completed. That JWT is signed, but can attacker an change the signing algorithm to ‘none’ and remove the signature, and then change the expiration time. Using that modified JWT they can replay that to oxAuth at any time later, without the user having completed sign-in at the partner, and it continues the flow sending a saml success back to the RP.

This may be partially fixed in 4.1 when encryption is included.`

Possible Solution/Recommendations

Actually - “JWT tokens shall travel over https”, that’s the prerequisite to use JWT and we are doing and recommending so.

But let say theoretically we assume said is possible (man-in-middle), Then at oxAuth can be enhanced to reject JWT, which are without signing algo defined (and can publish a guideline in docs - like shibb says unspecified nameid is not allowed)