Vulnerability in OpenID Connect
As a consequence of a vulnerability in OpenID Connect, changes have been made for the use of the parameter private_key_jwt
, which in HelseID is used for client authentication.The changes are being established as a new specification that obsoletes RFC7523, and updates RFC7521 og RFC9126.
- The vulnerability can be exploited by an attacker, that in some situations can control values in the Audience Claim in the
client_assertion
parameter, sent by the Client, to both PAR and Token endpoints in HelseID - The vulnerability can let an attacker pretend itself to be a legitimate Client
- Several assumtions must be fulfilled in order to create a valid attack, and we consider the probability for misuse as low
- No known attacks of this type have yet been discovered.
The parameter private_key_jwt
is the only way to authenticate a client configuration for HelseID, and therefore all client systems must make changes, either in code and/or in configuration. The changes that a provider must make to mitigate the vulnerability are the following:
- The
aud
claim in the JWT token provided from the client to HelseID in theclient_assertion
parameter must always have the value https://helseid-sts.nhn.no in production and https://helseid-sts.test.nhn.no in test. No other values will be accepted. Some vendors may have used other values, and must therefore check that the client system is consistent with the accepted values. This is a new change to the specification that obsoletes any other types of values. - The
typ
header in the JWT token provided from the client to HelseID in theclient_assertion
parameter must always have the valueclient-authentication+jwt
. No other values will be accepted. This is a new change to the specification.
A client_assertion can look like this, notice the typ
and aud
values:
{
"alg": "RS256",
"kid": "AE16FAAAAAC3E5998BD19CB895DB95E9",
"typ": "client-authentication+jwt"
}.{
"sub": "YOUR CLIENT ID",
"iat": 1677743803,
"jti": "892ba3d44a37411ebc92482234176157",
"nbf": 1677743803,
"exp": 1677743863,
"iss": "YOUR CLIENT ID",
"aud": "https://helseid-sts.test.nhn.no"
}.[Signature]
These values are described in the document Using Client Assertions for client authentication in HelseID.