ID-164 Take alg value from JWT if not present in JWK#128
Open
FlexonyoPizza wants to merge 2 commits into
Open
Conversation
f735df0 to
8fcd4e9
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The token payload test passed the JWK's alg field directly to JWT.decode as the sole allowed algorithm. But alg is optional on a JWK per RFC 7517. When a client's JWK omits it, algorithms: [nil] was passed and decoding failed with "Algorithm must be provided" which resulted in failing conformant clients.
The fix: Fall back to the alg from the JWT header (which is required per RFC 7515) when the JWK doesn't declare one.
Files changed (4):
token_payload_test.rb (v2.2.1) & token_payload_test.rb (v2.0.1) - decode the JWT header segment and use [jwk[:alg] || jwt_header['alg']]
Two matching spec files: added a test: "passes when JWK has no alg field but JWT header specifies alg"
Testing Guidance
Edit crd_jwks.json and remove the "alg" line from the two verify keys only. Leave alg on the two sign keys
Start the inferno server with:
bundle exec inferno services start
bundle exec inferno start
Run the CRD Client v2.2.1 suite ("Run Against the CRD Server" preset) through any one of the hook groups, and check test 1.2.1.2.04 (The appointment hook group in this instance)
You should see that the JWT header alg is used as the fallback and the test still passes