You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A proposed fix would be to either peek at the JWT and use the same algorithm as the JWT is signed with, or just default to RS256 if nothing is defined. That latter approach was taken by Spring, here: spring-attic/spring-security-oauth@9b7d576
The text was updated successfully, but these errors were encountered:
mkporwit
pushed a commit
to mkporwit/ktor
that referenced
this issue
Jun 7, 2018
* default to RS256 as the algorithm if the JWK does not optionally provide one (#434)
* add test case for null algorithm, ensure tests use jwk.makeAlgorithm from src
* default to RS256 as the algorithm if the JWK does not optionally provide one (ktorio#434)
* add test case for null algorithm, ensure tests use jwk.makeAlgorithm from src
The JWK RFC (https://tools.ietf.org/html/rfc7517#section-4.4) specifies that the alg parameter is optional. However, JWTAuth.kt:getVerifier() throws a "java.lang.IllegalArgumentException: Unsupported algorithm null" when it tries to parse JWKS that do not define one (such as those at https://login.microsoftonline.com/common/discovery/v2.0/keys)
A proposed fix would be to either peek at the JWT and use the same algorithm as the JWT is signed with, or just default to RS256 if nothing is defined. That latter approach was taken by Spring, here: spring-attic/spring-security-oauth@9b7d576
The text was updated successfully, but these errors were encountered: