-
Notifications
You must be signed in to change notification settings - Fork 116
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New __hash__() method doesn't consider kid #208
Comments
Uhmmm I had no condiered the fact that you may have the same key values with different key IDs ... |
An edge case, for sure. But... I encountered that edge case :( kid is the only parameter I am aware of, but I am not intimately familiar with all the different ways to lookup a key in a JMKSet. I think it would really tie back to whichever parameters could be used to lookup a key from the client token. |
@rabbitsoup can you put together a three line reproducer in a comment ? |
Yeah, I'll try to script up something. |
This script passes with version 0.8, and fails with 0.9
This test could be improved by checking all the individual kid values as well. |
Version 0.9 introduced a new JWK.hash() method that does not consider kid.
0edf66d
When using JWKSet.import_keyset(), server keys can be unexpectedly filtered out if some keys contain the same underlying key values, but only differ by other metadata, such as kid. If client tokens generated using the filtered kid key, authorization failure occurs.
The text was updated successfully, but these errors were encountered: