Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ignoring invalid keys in a JWKS does not work #862

Closed
timw6n opened this issue Mar 1, 2023 · 2 comments
Closed

Ignoring invalid keys in a JWKS does not work #862

timw6n opened this issue Mar 1, 2023 · 2 comments
Labels
stale Issues without activity for more than 60 days

Comments

@timw6n
Copy link
Contributor

timw6n commented Mar 1, 2023
edited

Summary.

Expected Result

A JWKS that contains two keys, one with a supported curve, one unsupported, should result in the valid key being output.

That is the clear intention of the code here in __init__ of PyJWKSet:

        for key in keys:
            try:
                self.keys.append(PyJWK(key))
            except PyJWKError:
                # skip unusable keys
                continue

Actual Result

An jwt.exceptions.InvalidKeyError is thrown to the top level.

I think the issue is that it is PyJWKError that is being caught but that InvalidKeyError extends PyJWTError. I don't know the codebase at all really, but suspect catching the broader exception would resolve the issue.

Reproduction Steps

We saw this with a JWKS containing a key with crv "X25519".

System Information

{
  "cryptography": {
    "version": "38.0.4"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.6"
  },
  "platform": {
    "release": "6.0.0-1011-oem",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.6.0"
  }
}
timw6n pushed a commit to timw6n/pyjwt that referenced this issue Mar 2, 2023
Fix for issue jpadilla#862 - ignore invalid keys in a jwks.
f60ee4b
@timw6n
Copy link
Contributor Author

timw6n commented Mar 2, 2023

Raised #863 with a patch. This seems to work for our project.

@github-actions
Copy link

github-actions bot commented May 2, 2023

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days

@github-actions github-actions bot added the stale Issues without activity for more than 60 days label May 2, 2023
@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale May 9, 2023
jpadilla pushed a commit that referenced this issue May 9, 2023
@timw6n
Fix for issue #862 - ignore invalid keys in a jwks. (#863)
6a27341 
Co-authored-by: Tim Waterson <tim.waterson@risilience.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale Issues without activity for more than 60 days
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@timw6n