jwt.ParseInsecure return verification error

[ai-zelenin]

jwt.ParseInsecure return verification error

go version 1.20

func (c *ProviderSuite) TestJWX() {
	privkey1, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		panic(err)
	}
	jwxKey1, err := jwk.FromRaw(privkey1)
	if err != nil {
		panic(err)
	}
	privkey2, err := rsa.GenerateKey(rand.Reader, 2048)
	if err != nil {
		panic(err)
	}
	jwxKey2, err := jwk.FromRaw(privkey2)
	if err != nil {
		panic(err)
	}
	tok, err := jwt.NewBuilder().
		Claim(`claim1`, `value1`).
		Claim(`claim2`, `value2`).
		Issuer(`github.com/lestrrat-go/jwx`).
		Audience([]string{`users`}).
		Build()
	if err != nil {
		panic(err)
	}

	signed, err := jwt.Sign(tok, jwt.WithKey(jwa.RS256, jwxKey1))
	if err != nil {
		panic(err)
	}
	fmt.Println(string(signed))
	tok2, err := jwt.ParseInsecure(signed, jwt.WithKey(jwa.RS256, jwxKey2))
	if err != nil {
		panic(err) // it will panic but should not
	}
	fmt.Println(tok2.Issuer())
}

I suppose expected behavior is no verifiaction and no validation)))

[lestrrat]

@ai-zelenin Oh wow, that one went unnoticed for over a year.

The quick fix is easy, but for the time being, what you can do to actually run ParseInsecure is to remove jwt.WithKey from the arguments to ParseInsecure() -- and that was the intended usage. I suppose I need to filter out more options from ParseInsecure.

We'll fix this soon.

[lestrrat]

@ai-zelenin Please check if #1008 fixes the problem for you?

[lestrrat]

I'm fairly certain #1008 fixes it, so I'm going to merge. I'd like to release the next version soon

[ai-zelenin]

thanks)) it will be very nice.