Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Exception if JWK set kid in single key and JWS does not specify kid #462

Closed
dklimpel opened this issue May 25, 2022 · 4 comments · Fixed by #596
Closed

Exception if JWK set kid in single key and JWS does not specify kid #462

dklimpel opened this issue May 25, 2022 · 4 comments · Fixed by #596
Assignees
@lepture
Labels
bug

Comments

@dklimpel
Copy link
Contributor

Describe the bug

This issue is related to #222

  • kid is optional in JWK, RFC7517
  • kid is optional in JWS header, RFC7515

If JWKS only one key specifies and the JWS header has no kid specified the following behaviour occurs:

  • If key has no kid jwt.decode find and uses the key.
  • If key has a kid jwt.decode fails and does not find the key and fails.

Error Stacks

Traceback (most recent call last):
  File "test_jwk.py", line 46, in <module>
    jwt.decode(
  File "/home/synapse/synapse_dev/env/lib/python3.8/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/home/synapse/synapse_dev/env/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/home/synapse/synapse_dev/env/lib/python3.8/site-packages/authlib/jose/rfc7515/jws.py", line 255, in _prepare_algorithm_key
    key = key(header, payload)
  File "/home/synapse/synapse_dev/env/lib/python3.8/site-packages/authlib/jose/rfc7519/jwt.py", line 91, in load_key
    key_func = prepare_raw_key(key, header)
  File "/home/synapse/synapse_dev/env/lib/python3.8/site-packages/authlib/jose/rfc7519/jwt.py", line 137, in prepare_raw_key
    raise ValueError('Invalid JSON Web Key Set')
ValueError: Invalid JSON Web Key Set

To Reproduce

A minimal example to reproduce the behavior:

from authlib.jose import jwt

# create valid JWKS
jwks_valid = {
   "keys":[
      {
         "alg":"RS256",
         "e":"AQAB",
         "ext":True,
         "key_ops":[
            "verify"
         ],
         "kty":"RSA",
         "n":"n0O-kvAnHHTDyZntIrA6JfN7cZ7a5r6yLuZu4rotsbvdInK1fqmeatZ3ZqJgJ32WG5rljMzOYp7nqERuXKYhpPCGfAy_MiIBgi2DuVoMbCzqPyvblxZ-5GyywpAFrjuxyoYRw19JmdfeWQet8Slir8wJNt0VOxo4Ac8vdcwIkLkq64RxGtnXWYAgD1CsJQvrDYGf4dWy6Xn_6FKjrzXb1BMIHkUHh3mjFD6VbtCMv5BEt6cSD8eRr5t9GBf0Y9gEv_ZLVhFCieCPwOOnYvheLG1LWMpHBWcjfbkOYmyY5w9-NMdnrqkAwgTEwWqLqlg2_cEXUHf1aaYx4Y8HvL7Q3dCELlfjWiNJ0h0KoXDUsUclxogFlHVpQM646oXg88pprBzOSJwNZ6HASlgShGTmYSfXNyLb0S4jJdT3-_LITZc3DOq0caN-iFZeczo7s18u4Q7w6Dk16_YYvtgX-7NuXhBPGTHlMcB56_-kvzEBb3wOT3bjMXa3fphYldG407Kg89DsAqp2U7lSG2WrLmDZ9w9WcaMVnm2PiHM0RhcUZPRIWCxw5DePGVBR86TP-vGJc_K0S0MKNqCWEdlHsSd19q9VKbKiPFPrmoHqzczkAyLRi1nieYFCjWDPOoVWRjrpBeHCTB-33S1f44uGM7EogeNRdjkN6a_32P-AqIsTV8E"
      }
   ]
}

# add `kid` to key in same JWKS
jwks_invalid = {
   "keys":[
      {
         "kid": "DummyKey",
         "alg":"RS256",
         "e":"AQAB",
         "ext":True,
         "key_ops":[
            "verify"
         ],
         "kty":"RSA",
         "n":"n0O-kvAnHHTDyZntIrA6JfN7cZ7a5r6yLuZu4rotsbvdInK1fqmeatZ3ZqJgJ32WG5rljMzOYp7nqERuXKYhpPCGfAy_MiIBgi2DuVoMbCzqPyvblxZ-5GyywpAFrjuxyoYRw19JmdfeWQet8Slir8wJNt0VOxo4Ac8vdcwIkLkq64RxGtnXWYAgD1CsJQvrDYGf4dWy6Xn_6FKjrzXb1BMIHkUHh3mjFD6VbtCMv5BEt6cSD8eRr5t9GBf0Y9gEv_ZLVhFCieCPwOOnYvheLG1LWMpHBWcjfbkOYmyY5w9-NMdnrqkAwgTEwWqLqlg2_cEXUHf1aaYx4Y8HvL7Q3dCELlfjWiNJ0h0KoXDUsUclxogFlHVpQM646oXg88pprBzOSJwNZ6HASlgShGTmYSfXNyLb0S4jJdT3-_LITZc3DOq0caN-iFZeczo7s18u4Q7w6Dk16_YYvtgX-7NuXhBPGTHlMcB56_-kvzEBb3wOT3bjMXa3fphYldG407Kg89DsAqp2U7lSG2WrLmDZ9w9WcaMVnm2PiHM0RhcUZPRIWCxw5DePGVBR86TP-vGJc_K0S0MKNqCWEdlHsSd19q9VKbKiPFPrmoHqzczkAyLRi1nieYFCjWDPOoVWRjrpBeHCTB-33S1f44uGM7EogeNRdjkN6a_32P-AqIsTV8E"
      }
   ]
}

id_token = "eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczovL2xvZ2luLWRlbW8uY3VyaXR5LmlvL29hdXRoL3YyL29hdXRoLWFub255bW91cyIsImV4cCI6NDU2LCJpYXQiOjEyMywiYXVkIjoiY2xpZW50Iiwic3ViIjoidXNlciJ9.PmEkUY2nesh2hC4xuoi0-nDIMHM5X5ieWKMKUdSTG2r2rur_ti7jHggam3eYu-KLcZGCK0hobQXOV31YCDx8i8TqLMyw67lK3MnJXFWrYvdBSMt66Vpr3ZoCsjb3P0qkIydgpgTm4ObCKXc88cUxwhi6n0XZLSu0It55CCFlkjjFZey_jRn6YndMSRn65P9iXc2CJrMpNpAAeD4VgMRfHv5c-VxDhFidxf47ujMbm6Z4Bq6B6iIuwKMoPH1J3Y8tqYCkmhKrw_ExyjS4B2888ZZMc193GBlDvUcKsBcWA4cRstX0p1X4ncK_oTdiF902k7dNt8MrrONdrkOHtu4Rkq7pu-PHFstszfWKmLpFQNDpapbby2AKIqKKJhbUx5sfhALyVC-wcG51QVrQopWXU81MajCevOodV8a_SsjhOj9_ym0ReWykZ9QvauT0x5wCpJeWUnvRHh2jDJvdYK1uMqDw5kyv5yiXjNxfejKSlmuPSGQxIjCdZ9kn8UaB9T2zvskXtus5pYC6DEySRko5jJFjOJnMhdeDK1zGxfScAnMvH1npQKHH4nRN8DYMq9MiiaN7oKmckO5XhGW6qsHWwOjXSsmbbH64sCjnswHgult4MFQD3-KHow72Jbh9u6z0NJcre7fo_UN0NUdZ7-cdGdfyn2yIyZo5rbxatEQxN2E"

# valid
jwt.decode(
    id_token,
    key=jwks_valid,
)

# throw error
# line 46
jwt.decode(
    id_token,
    key=jwks_invalid,
)

Expected behavior

If no kid is specified in the JWS header, the only key in the JWKS should be used, regardless of whether it has a kid or not.

Environment:

  • OS: Ubuntu 20.04.4 LTS
  • Python Version: 3.8.10
  • Authlib Version: 1.0.1

Additional context

I have created the dummy id_token and JWKS with https://oauth.tools/ - "CREATE JWT".
The export of the data (to reproduce) is attached here.
If wanted I can try to create a PR.

Create-JWT.zip
@dklimpel dklimpel added the bug label May 25, 2022
@MaggieWalker
Copy link

I am seeing this same behavior, as well

@shahbagdadi
Copy link

+1 I am also running into this issue

@lepture
Copy link
Owner

lepture commented Feb 22, 2023

@dklimpel yeah. A PR is welcome.

Closed
@pkking pkking mentioned this issue May 9, 2023
Closed
@dklimpel
Copy link
Contributor Author

Current error message in version 1.2.1.

Traceback (most recent call last):
  File "/home/dirk/base-images/test.py", line 46, in <module>
    jwt.decode(
  File "/home/dirk/locust/lib/python3.10/site-packages/authlib/jose/rfc7519/jwt.py", line 96, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/home/dirk/locust/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 101, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/home/dirk/locust/lib/python3.10/site-packages/authlib/jose/rfc7515/jws.py", line 254, in _prepare_algorithm_key
    key = key(header, payload)
  File "/home/dirk/locust/lib/python3.10/site-packages/authlib/jose/rfc7519/jwt.py", line 173, in load_key
    raise ValueError('Invalid JSON Web Key Set')
ValueError: Invalid JSON Web Key Set

@dklimpel dklimpel mentioned this issue Nov 21, 2023
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lepture lepture

Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Use single key in JWK if JWS does not specify kid
4 participants
@lepture @dklimpel @shahbagdadi @MaggieWalker