Merge pull request #392 from akatsoulas/oidc-kid-setting

fix(auth): merge suggestion of @cfra to prevent KeyError in auth.py
mozilla · Dec 24, 2020 · d3fd7ff · d3fd7ff
2 parents 476f7af + e58e4f6
commit d3fd7ff
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -41,6 +41,12 @@ of ``mozilla-django-oidc``.
 
    Controls whether the OpenID Connect client verifies the signature of the JWT tokens
 
+.. py:attribute:: OIDC_VERIFY_KID
+
+    :default: ``True``
+
+    Controls whether the OpenID Connect client verifies the KID field of the JWT tokens
+
 .. py:attribute:: OIDC_USE_NONCE
 
    :default: ``True``

diff --git a/mozilla_django_oidc/auth.py b/mozilla_django_oidc/auth.py
@@ -19,7 +19,6 @@
 
 from mozilla_django_oidc.utils import absolutify, import_from_settings
 
-
 LOGGER = logging.getLogger(__name__)
 
 
@@ -159,7 +158,8 @@ def retrieve_matching_jwk(self, token):
 
         key = None
         for jwk in jwks['keys']:
-            if 'kid' in jwk and jwk['kid'] != smart_text(header.kid):
+            if (import_from_settings("OIDC_VERIFY_KID", True)
+                    and jwk['kid'] != smart_text(header.kid)):
                 continue
             if 'alg' in jwk and jwk['alg'] != smart_text(header.alg):
                 continue