🔴 [P0] Implement OIDC token validation (authentication bypass) #271

New Issue

Closed

opened 2026-02-03 22:29:13 +00:00 by jason.woltje · 0 comments

jason.woltje commented 2026-02-03 22:29:13 +00:00

Owner

Copy Link

Summary

OIDC token validation is a placeholder that always returns valid: false. Federated authentication is completely non-functional.

Location

apps/api/src/federation/oidc.service.ts:114-138

Security Impact

• Complete authentication bypass for federated users
• Any attacker can impersonate any user on federated instances
• Identity linking (#87) and OIDC integration (#86) are non-functional

Required Implementation

1. Use jose or jsonwebtoken library for JWT validation
2. Fetch OIDC discovery metadata from remote instances
3. Retrieve and cache JWKS (JSON Web Key Set)
4. Verify JWT signature using public key from JWKS
5. Validate all claims (iss, aud, exp, nbf, iat)
6. Handle token refresh mechanism

Acceptance Criteria

• JWT signature verification works
• All standard claims validated
• JWKS fetching and caching implemented
• Token validation integration tests pass
• Identity linking works with valid OIDC tokens
• Invalid tokens properly rejected

Priority

CRITICAL (P0) - Blocks production deployment

## Summary OIDC token validation is a placeholder that always returns `valid: false`. Federated authentication is completely non-functional. ## Location `apps/api/src/federation/oidc.service.ts:114-138` ## Security Impact - Complete authentication bypass for federated users - Any attacker can impersonate any user on federated instances - Identity linking (#87) and OIDC integration (#86) are non-functional ## Required Implementation 1. Use `jose` or `jsonwebtoken` library for JWT validation 2. Fetch OIDC discovery metadata from remote instances 3. Retrieve and cache JWKS (JSON Web Key Set) 4. Verify JWT signature using public key from JWKS 5. Validate all claims (iss, aud, exp, nbf, iat) 6. Handle token refresh mechanism ## Acceptance Criteria - [ ] JWT signature verification works - [ ] All standard claims validated - [ ] JWKS fetching and caching implemented - [ ] Token validation integration tests pass - [ ] Identity linking works with valid OIDC tokens - [ ] Invalid tokens properly rejected ## Priority **CRITICAL (P0)** - Blocks production deployment

jason.woltje added the securityp0apiapi labels 2026-02-03 22:29:13 +00:00

jason.woltje added this to the M7.1-Remediation (0.0.8) milestone 2026-02-03 22:31:44 +00:00

jason.woltje referenced this issue from a commit 2026-02-03 22:51:25 +00:00

fix(#271): implement OIDC token validation (authentication bypass)

jason.woltje referenced a pull request that will close this issue 2026-02-03 22:51:31 +00:00

fix(#271): Implement OIDC token validation (authentication bypass) #299

jason.woltje referenced this issue from a commit 2026-02-04 01:31:33 +00:00

Merge pull request 'fix(#271): Implement OIDC token validation (authentication bypass)' (#299) from fix/271-oidc-token-validation into develop

jason.woltje closed this issue 2026-02-04 01:31:33 +00:00

jason.woltje referenced this issue from a commit 2026-02-04 01:32:36 +00:00

fix: Resolve merge conflicts with develop

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

fix/ci-glibc-image

fix/dockerfile-npmrc

fix/matrix-native-binary

fix/kaniko-cache

fix/base-image-kaniko-v2

fix/base-image-kaniko

feat/custom-base-image

ci/pnpm-cache

fix/interceptor-tests

fix/kanban-tests

feat/wire-chat

feat/usage-widget

fix/security-hardening

fix/project-domain-v2

feat/kanban-add-task

fix/project-domain-attach

fix/logs-page-clean

fix/workspace-members

fix/ci-lint-632

fix/file-manager-tags

fix/csrf-debug-log

fix/controller-type-imports

fix/system-admin-env

fix/gateway-cors-trusted-origins

feat/project-detail-page

fix/fleet-provider-form-dto-v2

fix/ms22-audit

fix/orchestrator-widgets

fix/fleet-provider-form-dto

fix/csrf-bearer-bypass

fix/ms22-missing-authmodule-imports

fix/container-lifecycle-config-module

fix/swarm-compose-ms22-vars

chore/ms22-p1-complete

feat/ms22-p1h-settings-ui

feat/ms22-p1f-onboarding-ui

feat/ms22-p1i-chat-proxy

feat/ms22-p1k-idle-reaper

feat/ms22-p1j-docker

feat/ms22-p1e-onboarding-api

feat/ms22-p1g-settings-api

feat/ms22-p1d-container-mgr

feat/ms22-p1c-config-api

chore/ms22-prd-tracking

feat/ms22-p1a-schema

feat/ms22-p1b-crypto

chore/ms22-p1-tasks

docs/ms22-architecture

feat/ms22-openclaw-docker

feat/ms22-openclaw-gateway-module

chore/ms21-complete

chore/ms21-final-tasks-done

fix/ms21-ui-001-qa

test/ms21-ui-tests

chore/ms21-tasks-sync

chore/ms22-phase0-complete

feat/ms22-ingest-clean

feat/ms21-ui-users-members

feat/ms22-task-agent

chore/tasks-final

chore/tasks-update

feat/ms21-session-invalidation

feat/ms21-rbac-settings

feat/ms21-teams-page

feat/ms21-users-page

feat/ms19-terminal-persistence

v0.0.21

v0.20.0

v0.0.15

v0.0.2

Labels

Clear labels

ai

AI/LLM integration

api

Backend/API work

api

auth

Authentication

database

database

Database/schema work

devops

Docker/deployment

docs

Documentation

frontend

graph

knowledge-module

migration

Data migration

orchestrator

Orchestrator service (apps/orchestrator/)

p0

Critical priority

p1

High priority

p2

Medium priority

p3

Low priority

performance

Performance work

phase-1

phase-2

phase-3

phase-4

phase-5

plugin

MoltBot plugin work

search

security

Security-related

setup

Initial setup

testing

Testing/QA

web

Frontend work

No Label api api p0 security

Milestone

No items

No Milestone M7.1-Remediation (0.0.8)

Projects

Clear projects

No project

Assignees

Clear assignees

jason.woltje

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: mosaic/stack#271