OpenOLAT OpenID Connect Implicit Flow JWT Signature Verification Vulnerability

A vulnerability exists in OpenOLAT versions 10.5.4 prior to 20.2.5, where the OpenID Connect implicit flow implementation fails to verify JSON Web Token (JWT) signatures. The issue arises because the 'JSONWebToken.parse()' method ignores the signature segment of the JWT, and the 'getAccessToken()' methods in both 'OpenIdConnectApi' and 'OpenIdConnectFullConfigurableApi' only check claim-level fields without performing cryptographic signature validation against the Identity Provider's JWKS endpoint. This flaw allows an attacker to forge a JWT and gain unauthorized access to an authenticated session, potentially as an administrator.

Impact

Exploitation of this vulnerability allows for authentication bypass via forged JWTs, enabling attackers to obtain authenticated sessions as any user, including administrators.

Remediation

Users can upgrade to OpenOLAT version 20.2.5 or later and switch to a different authentication method, as the OIDC implicit flow is no longer supported. For those on version 20.2.5, the OIDC implicit flow login provider can be disabled by setting 'oauth.openidconnectif.enabled=false' in 'olat.local.properties' or by disabling 'OpenID Connect' in the admin console under 'Administration > Login > OAuth 2.0'. Additionally, custom OIDC providers using 'OpenIdConnectFullConfigurableProvider' with implicit flow should also be disabled.