1

I would like to verify the signature of id_tokens provided through Open ID Connect (OIDC) by Azure AD. It is taking a long time to process and verify a single token, which will introduce significant delays to the user authentication experience, and force an extension to the maximum code execution time limit.

I'm using the PHP JWT Framework provided by Spomky Labs and it is taking around 42 seconds to verify a single token. Is this normal? It can be reproduced with the below (content of token is redacted).

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Signature\JWSVerifier;
use Jose\Component\Core\JWK;
use Jose\Component\Signature\Serializer\JWSSerializerManager;
use Jose\Component\Signature\Serializer\CompactSerializer;
use Jose\Component\Signature\Algorithm\RS256;
$algorithmManager = new AlgorithmManager([new RS256()]);
$publicKey = json_decode('{"kty":"RSA","use":"sig","kid":"-KI3Q9nNR7bRofxmeZoXqbHZGew","x5t":"-KI3Q9nNR7bRofxmeZoXqbHZGew","n":"tJL6Wr2JUsxLyNezPQh1J6zn6wSoDAhgRYSDkaMuEHy75VikiB8wg25WuR96gdMpookdlRvh7SnRvtjQN9b5m4zJCMpSRcJ5DuXl4mcd7Cg3Zp1C5-JmMq8J7m7OS9HpUQbA1yhtCHqP7XA4UnQI28J-TnGiAa3viPLlq0663Cq6hQw7jYo5yNjdJcV5-FS-xNV7UHR4zAMRruMUHxte1IZJzbJmxjKoEjJwDTtcd6DkI3yrkmYt8GdQmu0YBHTJSZiz-M10CY3LbvLzf-tbBNKQ_gfnGGKF7MvRCmPA_YF_APynrIG7p4vPDRXhpG3_CIt317NyvGoIwiv0At83kQ","e":"AQAB","x5c":["MIIDBTCCAe2gAwIBAgIQGQ6YG6NleJxJGDRAwAd/ZTANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MB4XDTIyMTAwMjE4MDY0OVoXDTI3MTAwMjE4MDY0OVowLTErMCkGA1UEAxMiYWNjb3VudHMuYWNjZXNzY29udHJvbC53aW5kb3dzLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSS+lq9iVLMS8jXsz0IdSes5+sEqAwIYEWEg5GjLhB8u+VYpIgfMINuVrkfeoHTKaKJHZUb4e0p0b7Y0DfW+ZuMyQjKUkXCeQ7l5eJnHewoN2adQufiZjKvCe5uzkvR6VEGwNcobQh6j+1wOFJ0CNvCfk5xogGt74jy5atOutwquoUMO42KOcjY3SXFefhUvsTVe1B0eMwDEa7jFB8bXtSGSc2yZsYyqBIycA07XHeg5CN8q5JmLfBnUJrtGAR0yUmYs/jNdAmNy27y83/rWwTSkP4H5xhihezL0QpjwP2BfwD8p6yBu6eLzw0V4aRt/wiLd9ezcrxqCMIr9ALfN5ECAwEAAaMhMB8wHQYDVR0OBBYEFJcSH+6Eaqucndn9DDu7Pym7OA8rMA0GCSqGSIb3DQEBCwUAA4IBAQADKkY0PIyslgWGmRDKpp/5PqzzM9+TNDhXzk6pw8aESWoLPJo90RgTJVf8uIj3YSic89m4ftZdmGFXwHcFC91aFe3PiDgCiteDkeH8KrrpZSve1pcM4SNjxwwmIKlJdrbcaJfWRsSoGFjzbFgOecISiVaJ9ZWpb89/+BeAz1Zpmu8DSyY22dG/K6ZDx5qNFg8pehdOUYY24oMamd4J2u2lUgkCKGBZMQgBZFwk+q7H86B/byGuTDEizLjGPTY/sMms1FAX55xBydxrADAer/pKrOF1v7Dq9C1Z9QVcm5D9G4DcenyWUdMyK43NXbVQLPxLOng51KO9icp2j4U7pwHP"],"issuer":"https://login.microsoftonline.com/common/v2.0"}', true);
$token = "<<CONTENT_REDACTED>>";
$jwk = new JWK($publicKey);
$jwsVerifier = new JWSVerifier($algorithmManager);
$serializerManager = new JWSSerializerManager([new CompactSerializer()]);
$jws = $serializerManager->unserialize($token);
$isVerified = $jwsVerifier->verifyWithKey($jws, $jwk, 0);

I'm running PHP 8.2.5 on Centos Stream 9 on a 2 core VM with 16GB of memory

TomBertie
  • 13
  • 2
  • Normally a library for validating RSA used dedicated hardware that is available on most machines. Maybe this doesn't? Can you check CPU activity (using for example `top` command in Linux) during this period and extend your question with the result? – Andreas Lundgren Aug 15 '23 at 20:23

1 Answers1

0

As explained multiple times in the documentation or on the github bug tracker (e.g. https://github.com/web-token/jwt-framework/blob/3.3.x/src/SignatureAlgorithm/RSA/composer.json#L46 or https://github.com/web-token/jwt-framework/issues/439#issuecomment-1488003795), this is mainly due to the absence of the GMP or BCMATH extension. Please make sure one or the other extension is available for having better performance.

Spomky-Labs
  • 15,473
  • 5
  • 40
  • 64
  • Thank you Spomky-Labs. I did search around but couldn't find this reference. I've installed the extensions and it is working well now. – TomBertie Aug 16 '23 at 09:43