ADFS created access tokens can't be validated due to missing 'kid' header #370
We've been working on expanding the use of OpenID Connect to remove some older authentication methods in places, but ran into some issues due to how ADFS creates tokens.
Some de-personalized tokens from an authentication, as example; (with output from https://jwt.ms)
As seen, the access token is missing the 'kid' header, and instead only contains an 'x5t' header - albeit with the exact same data as 'kid' would've contained. This caused validation to fail when using JWKs, as the signature verification wasn't able to read the key id.
--- /a/lib/jwt/decode.rb 2020-09-10 10:09:12.183103903 +0200 +++ /b/lib/jwt/decode.rb 2020-09-10 10:55:26.259471083 +0200 @@ -34,7 +34,7 @@ def verify_signature @key = find_key(&@keyfinder) if @keyfinder - @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['kid']) if @options[:jwks] + @key = ::JWT::JWK::KeyFinder.new(jwks: @options[:jwks]).key_for(header['x5t']) if @options[:jwks] raise(JWT::IncorrectAlgorithm, 'An algorithm must be specified') if allowed_algorithms.empty? raise(JWT::IncorrectAlgorithm, 'Expected a different algorithm') unless options_includes_algo_in_header?
The text was updated successfully, but these errors were encountered:
Hi @ananace. Sorry for a late reply.
Think the gem itself cannot have these kind of fallbacks or exceptions. The JWT RFC states
But you can for your case have the exception by giving the keyfinder as a parameter to the decode method.