You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is in relation to RFC7523 and the PrivateKeyJWT and ClientSecretJWT classes' sign method. Each class can be initialised with a headers dictionary. In ClientSecretJWT, the self.headers is passed to client_secret_jwt_sign as a kwparam called headers. PrivateKeyJWT doesn't actually pass the headers through to private_key_jwt_sign at all, but should (that's the first problem). This allows people to set things like the kid on the JWT header.
The second problem is that the sign_jwt_bearer_assertion expects a kwarg called header and not headers. At the moment, the headers from ClientSecretJWT.sign() appear to be ignored.
In summary, two issues:
PrivateKeyJWT should pass the self.headers into the private_key_jwt_sign call.
Both ClientSecretJWT and PrivateKeyJWT should pass header=self.headers in the calls to client_secret_jwt_sign and private_key_jwt_sign respectively.
I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.
Error Stacks
None
Expected behaviour
I would expect the headers to be passed through and included in the JWT.
Environment:
OS: Ubuntu 22.04 (but not relevant here)
Python Version: 3.10.7 (but not relevant here)
Authlib Version: latest from master (commit cadc55d)
Additional context
This is being used to implement a flask application that used OIDC Connect with private_key_jwt.
The text was updated successfully, but these errors were encountered:
Describe the bug
This is in relation to RFC7523 and the
PrivateKeyJWT
andClientSecretJWT
classes'sign
method. Each class can be initialised with aheaders
dictionary. InClientSecretJWT
, theself.headers
is passed toclient_secret_jwt_sign
as a kwparam calledheaders
.PrivateKeyJWT
doesn't actually pass the headers through toprivate_key_jwt_sign
at all, but should (that's the first problem). This allows people to set things like thekid
on the JWT header.The second problem is that the
sign_jwt_bearer_assertion
expects a kwarg calledheader
and notheaders
. At the moment, theheaders
fromClientSecretJWT.sign()
appear to be ignored.In summary, two issues:
self.headers
into theprivate_key_jwt_sign
call.header=self.headers
in the calls toclient_secret_jwt_sign
andprivate_key_jwt_sign
respectively.I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.
Error Stacks
None
Expected behaviour
I would expect the headers to be passed through and included in the JWT.
Environment:
Additional context
This is being used to implement a flask application that used OIDC Connect with
private_key_jwt
.The text was updated successfully, but these errors were encountered: