Skip to content
Open
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion src/internal/auth/jwt.ts
Original file line number Diff line number Diff line change
Expand Up @@ -90,7 +90,7 @@ async function findJWKFromHeader(
// couldn't find a matching JWK, try to use the secret
return encoder.encode(secret)
}
return await importJWK(jwk)
return await importJWK(jwk, header.alg)

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now, we also need to fix the jwk filtering above because otherwise jwk with a particular algorithm will verify a token with an algorithm that isn't created for. For example, jwk says RS256 but header says RS512

And it's also better to pass jwk.alg || header.alg here for clearer intention

}
Comment on lines 98 to 102

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, we need to see some tests as well

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • accept asymmetric jwt when matching jwk has no alg
  • reject asymmetric jwt when matching jwk has a different alg
  • reject hmac jwt when matching jwk has a different alg


function getJWTVerificationKey(secret: string, jwks: JwksConfig | null): JWTVerifyGetKey {
Expand Down