topdown/tokens: Fix verifying with multi-key JWKS #1923

patrick-east · 2019-11-26T00:35:36Z

We were previously ignoring any keys beyond the first index in a set
of keys contained in a JWKS provided to the JWT builtins. We now will
attempt to use any of the keys found.

In addition we no longer raise an error if the key type doesn't match
the header. We will return the correct result as if the verification
failed (because it did..)

Fixes: #1901
Signed-off-by: Patrick East [email protected]

We were previously ignoring any keys beyond the first index in a set of keys contained in a JWKS provided to the JWT builtins. We now will attempt to use any of the keys found. In addition we no longer raise an error if the key type doesn't match the header. We will return the correct result as if the verification failed (because it did..) Fixes: open-policy-agent#1901 Signed-off-by: Patrick East <[email protected]>

tsandall

LGTM. Migth be useful to include a comment that links to the RFC on how these multi-key JWKS should be handled.

patrick-east requested a review from tsandall November 26, 2019 00:35

tsandall approved these changes Nov 26, 2019

View reviewed changes

patrick-east merged commit 16a0aca into open-policy-agent:master Nov 26, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

topdown/tokens: Fix verifying with multi-key JWKS #1923

topdown/tokens: Fix verifying with multi-key JWKS #1923

patrick-east commented Nov 26, 2019

tsandall left a comment

topdown/tokens: Fix verifying with multi-key JWKS #1923

topdown/tokens: Fix verifying with multi-key JWKS #1923

Conversation

patrick-east commented Nov 26, 2019

tsandall left a comment

Choose a reason for hiding this comment