feat: JWT should only respect JWT-formats (#958)

ory · Apr 24, 2022 · 6959524 · 6959524
1 parent 84a0fe0
commit 6959524
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/pipeline/authn/authenticator_jwt.go b/pipeline/authn/authenticator_jwt.go
@@ -4,6 +4,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/golang-jwt/jwt/v4"
 	"github.com/pkg/errors"
@@ -79,6 +80,12 @@ func (a *AuthenticatorJWT) Authenticate(r *http.Request, session *Authentication
 		return errors.WithStack(ErrAuthenticatorNotResponsible)
 	}
 
+	// If the token is not a JWT, declare ourselves not responsible. This enables using fallback authenticators (i. e.
+	// bearer_token or oauth2_introspection) for different token types at the same location.
+	if len(strings.Split(token, ".")) != 3 {
+		return errors.WithStack(ErrAuthenticatorNotResponsible)
+	}
+
 	if len(cf.AllowedAlgorithms) == 0 {
 		cf.AllowedAlgorithms = []string{"RS256"}
 	}

diff --git a/pipeline/authn/authenticator_jwt_test.go b/pipeline/authn/authenticator_jwt_test.go
@@ -135,6 +135,13 @@ func TestAuthenticatorJWT(t *testing.T) {
 				expectErr:      true,
 				expectExactErr: ErrAuthenticatorNotResponsible,
 			},
+			{
+				d:              "should return error saying that authenticator is not responsible for validating the request, as the token provided is not a JWT",
+				r:              &http.Request{Header: http.Header{"X-Custom-Header": []string{"bm90LWp3dA=="}}}, // not-jwt
+				config:         `{"token_from": {"header": "X-Custom-Header"}}`,
+				expectErr:      true,
+				expectExactErr: ErrAuthenticatorNotResponsible,
+			},
 			{
 				d: "should pass because the valid JWT token was provided in a proper location (custom header)",
 				r: &http.Request{Header: http.Header{"X-Custom-Header": []string{gen(keys[1], jwt.MapClaims{