Skip to content

Commit

Permalink
Assume JWK is valid for signing if "use" is omitted (#668)
Browse files Browse the repository at this point in the history
* PyJWKClient: Assume JWK is intended for signing if 'use' claim is either 'sig' or not present

* Update CHANGELOG
  • Loading branch information
Klavionik authored Aug 12, 2021
1 parent 5fe7f2b commit 6367361
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 1 deletion.
1 change: 1 addition & 0 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Changed

Fixed
~~~~~
- Assume JWK without the "use" claim is valid for signing as per RFC7517 `#668 <https://github.com/jpadilla/pyjwt/pull/668>`__

- Prefer `headers["alg"]` to `algorithm` in `jwt.encode()`. `#673 <https://github.com/jpadilla/pyjwt/pull/673>`__
- Fix aud validation to support {'aud': null} case. `#670 <https://github.com/jpadilla/pyjwt/pull/670>`__
Expand Down
2 changes: 1 addition & 1 deletion jwt/jwks_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ def get_signing_keys(self) -> List[PyJWK]:
signing_keys = []

for jwk_set_key in jwk_set.keys:
if jwk_set_key.public_key_use == "sig" and jwk_set_key.key_id:
if jwk_set_key.public_key_use in ["sig", None] and jwk_set_key.key_id:
signing_keys.append(jwk_set_key)

if len(signing_keys) == 0:
Expand Down
14 changes: 14 additions & 0 deletions tests/test_jwks_client.py
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,20 @@ def test_get_signing_keys(self):
assert len(signing_keys) == 1
assert isinstance(signing_keys[0], PyJWK)

def test_get_signing_keys_if_no_use_provided(self):
url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"

mocked_key = RESPONSE_DATA["keys"][0].copy()
del mocked_key["use"]
response = {"keys": [mocked_key]}

with mocked_response(response):
jwks_client = PyJWKClient(url)
signing_keys = jwks_client.get_signing_keys()

assert len(signing_keys) == 1
assert isinstance(signing_keys[0], PyJWK)

def test_get_signing_keys_raises_if_none_found(self):
url = "https://dev-87evx9ru.auth0.com/.well-known/jwks.json"

Expand Down

0 comments on commit 6367361

Please sign in to comment.