fix: kid header is not required for key lookup

ory · Nov 4, 2020 · 27cc5c0 · 27cc5c0
1 parent c0598fb
commit 27cc5c0
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/client_authentication.go b/client_authentication.go
@@ -239,12 +239,16 @@ func (f *Fosite) AuthenticateClient(ctx context.Context, r *http.Request, form u
 }
 
 func findPublicKey(t *jwt.Token, set *jose.JSONWebKeySet, expectsRSAKey bool) (interface{}, error) {
+	keys := set.Keys
+	if len(keys) == 0 {
+		return nil, errors.WithStack(ErrInvalidRequest.WithHintf("The retrieved JSON Web Key Set does not contain any keys."))
+	}
+
 	kid, ok := t.Header["kid"].(string)
-	if !ok {
-		return nil, errors.WithStack(ErrInvalidRequest.WithHint("The JSON Web Token must contain a kid header value but did not."))
+	if ok {
+		keys = set.Key(kid)
 	}
 
-	keys := set.Key(kid)
 	if len(keys) == 0 {
 		return nil, errors.WithStack(ErrInvalidRequest.WithHintf("The JSON Web Token uses signing key with kid '%s', which could not be found.", kid))
 	}