Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Return alg as part oft he JWKS URL #176

Closed
mohsinhijazee opened this issue Jan 31, 2025 · 1 comment · Fixed by #186
Closed

Return alg as part oft he JWKS URL #176

mohsinhijazee opened this issue Jan 31, 2025 · 1 comment · Fixed by #186

Comments

@mohsinhijazee
Copy link

When returning the set of keys via JWKS URL (the GET /.well-known/jwks.json endpoint), would be nice if we return the algorithm as well. One example where is necessary is when loading the JWKS via famous and widely used jwx package.

Example:

import (
	"github.com/lestrrat-go/jwx/v3/jwk"
	"github.com/lestrrat-go/jwx/v3/jwt"
)



// Fetch the keys:
keys, err := jwk.Fetch(context.Background(), "http://somewhere.com/.well-known/jwks.json")

tokenString = "eyJhbGciOiJIUzI1NiJ9.eyJSb2xlIjoiQWRtaW4iLCJJc3N1ZXIiOiJJc3N1ZXIiLCJVc2VybmFtZSI6IkphdmFJblVzZSIsImV4cCI6MTczODM0NDkxMiwiaWF0IjoxNzM4MzQ0OTEyfQ.9OCqnevzFUX1lgS1CZRrVZfnXLYji1uasBWMWfhwDOs
"

// This will never succeed because jwx not only considers the key Id but also considers the algorithm as well as an additional security measure. 
// And when not present, will not consider the key at all despite matching key ID with the payload provided.
result, err := jwt.Parse([]byte(tokenString), jwt.WithKeySet(keys))

But if you load the keys with the alg key, it will work fine such as:

var googleKeys = `
{
  "keys": [
    {
      "alg": "RS256",
      "e": "AQAB",
      "kid": "6337be6364f3824008d0e9003f50bb6b43d5a9c6",
      "kty": "RSA",
      "n": "4gQqqklPFAI4AKTr0HPsxjHsJ3mAaPejrJ_aplDZsYUyH3bvEZ0vddQ7VYRy-Hozt-4lNjaw-T3fosSATtSGrQ2UtAkrxsS3_oeOgHyQ1Xt-OH3Pzgq1HZVMXf_xxCxOzhBffnCehI5eXZ2GxLn_1Xz-FNw2SJqNGudrxD4HodkhGsHvhbelvfE9-tozoFxlT7rIK8fWpR4SpZwQjbMhHYKjSAbuVjbZoF7wL0cqWYo3zT9OHp8XbfLqduabPgYN1CVuNYMomWIHdQO3SKdNXdgLbOqhkQ5xAbEo75C2zYcBHWfPuiVZclpClVPR7rN_sJPz7s6MWGQvMw3FpqcQyw",
      "use": "sig"
    },
    {
      "e": "AQAB",
      "alg": "RS256",
      "kid": "fa072f75784642615087c7182c101341e18f7a3a",
      "n": "pleuF0RyDsETygZn89RpGVFNMxG_hdYVnvbHadvM1tYxs9ghDq93NFxejt--1QlwpLQ3yuVY_CKldkAWgzPVl8-oUBe5xh9jzpLUTqcyrS1aFLuzAe13-OTadUE18wvhz9goQf80rg5IztD_gBePOOBE7eWHGqWLghuMb7cIYjgFxqNFyPn8bF_7k8pQAeHIPua_6_GHhw3ML4msp-aU7O1io3Z4P_Bir_6_C5J9UtWAcJ0Ez0YC5FxOMkh27joO5mUas8krGnFqIJTOgDYXQC1QTu-HOCRNvi6gFMqEkDTP5oBK2cDPDq5L0T8Q0UanSPR0BuOTHesCXnDAdxdyXw",
      "kty": "RSA",
      "use": "sig"
    }
  ]
}
`
keys, err := jwk.Parse([]byte(googleKeys))

// use the keys and it'll be alright because alg is pvoided.

I believe this small imrovement can make working with the IdP much simpler.
@thdxr
Copy link
Contributor

thdxr commented Feb 3, 2025

happy to take a PR for this

@lettucebowler lettucebowler mentioned this issue Feb 7, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Return alg for each signing key from /jwks.json endpoint lettucebowler/openauth
2 participants
@mohsinhijazee @thdxr