when building a JWK verifier, the alg field should be optional. #434
Comments
mkporwit
pushed a commit
to mkporwit/ktor
that referenced
this issue
Jun 7, 2018
cy6erGn0m
pushed a commit
that referenced
this issue
Jun 25, 2018
|
Fix has been merged into master and released in 0.9.3. Closing this issue. |
schleinzer
pushed a commit
to schleinzer/ktor
that referenced
this issue
Feb 26, 2019
* default to RS256 as the algorithm if the JWK does not optionally provide one (ktorio#434) * add test case for null algorithm, ensure tests use jwk.makeAlgorithm from src
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The JWK RFC (https://tools.ietf.org/html/rfc7517#section-4.4) specifies that the alg parameter is optional. However, JWTAuth.kt:getVerifier() throws a "java.lang.IllegalArgumentException: Unsupported algorithm null" when it tries to parse JWKS that do not define one (such as those at https://login.microsoftonline.com/common/discovery/v2.0/keys)
A proposed fix would be to either peek at the JWT and use the same algorithm as the JWT is signed with, or just default to RS256 if nothing is defined. That latter approach was taken by Spring, here: spring-attic/spring-security-oauth@9b7d576
The text was updated successfully, but these errors were encountered: