You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
jwt-authorizer fails with a AuthErrors::JwksRefreshError: error decoding response body: unknown variant 'RSA-OAEP' when the JWKS URL contains a key where alg is RSA-OAEP.
FYI there may be a fix to this coming up in jsonwebtoken as per Keats/jsonwebtoken#252 (comment). Hopefully 🤞 that comes in soon and then this library can make use of it.
For posterity, I ran into this when using Keycloak. Disabling RSA-OAEP in the realm per this comment helped unblock me: Keats/jsonwebtoken#252 (comment)
I also had this problem with Keycloak 20 with default settings. When disabling RSA-OAEP in the realm, it did not seem to update the JWKS endpoint, and i did not find a way to force the endpoint to rebuild it's answer.
jwt-authorizer fails with a
AuthErrors::JwksRefreshError: error decoding response body: unknown variant 'RSA-OAEP'
when the JWKS URL contains a key wherealg
isRSA-OAEP
.It seems that https://github.com/cduvray/jwt-authorizer/blob/main/jwt-authorizer/src/jwks/key_store_manager.rs#L182 attempts to ignore a JWK if it's not decodable, but if a serialized JWK is unable to be cast into a JWK in https://github.com/cduvray/jwt-authorizer/blob/main/jwt-authorizer/src/jwks/key_store_manager.rs#L172 (which is the case if it's algorithm is not in https://github.com/Keats/jsonwebtoken/blob/master/src/algorithms.rs#L16), the entire method returns the AuthError.
The text was updated successfully, but these errors were encountered: