Skip to content

ID-164 Take alg value from JWT if not present in JWK#128

Open
FlexonyoPizza wants to merge 2 commits into
inferno-framework:mainfrom
FlexonyoPizza:LeonsBranch
Open

ID-164 Take alg value from JWT if not present in JWK#128
FlexonyoPizza wants to merge 2 commits into
inferno-framework:mainfrom
FlexonyoPizza:LeonsBranch

Conversation

@FlexonyoPizza

Copy link
Copy Markdown
Contributor

Summary

The token payload test passed the JWK's alg field directly to JWT.decode as the sole allowed algorithm. But alg is optional on a JWK per RFC 7517. When a client's JWK omits it, algorithms: [nil] was passed and decoding failed with "Algorithm must be provided" which resulted in failing conformant clients.

The fix: Fall back to the alg from the JWT header (which is required per RFC 7515) when the JWK doesn't declare one.

Files changed (4):

  • token_payload_test.rb (v2.2.1) & token_payload_test.rb (v2.0.1) - decode the JWT header segment and use [jwk[:alg] || jwt_header['alg']]

  • Two matching spec files: added a test: "passes when JWK has no alg field but JWT header specifies alg"

Testing Guidance

  1. Edit crd_jwks.json and remove the "alg" line from the two verify keys only. Leave alg on the two sign keys

  2. Start the inferno server with:
    bundle exec inferno services start
    bundle exec inferno start

  3. Run the CRD Client v2.2.1 suite ("Run Against the CRD Server" preset) through any one of the hook groups, and check test 1.2.1.2.04 (The appointment hook group in this instance)

You should see that the JWT header alg is used as the fallback and the test still passes

image

@FlexonyoPizza FlexonyoPizza changed the title Leons branch ID-164 Take alg value from JWT if not present in JWK Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant