Replies: 2 comments 7 replies
-
Then, using that key set, checks if the JWT is signature was generated by a key with a matching Key ID. What I'm trying to say is that, it never uses the value given in the JWS message. It only trusts the value that you the user have provided, which is the intended behavior. We don't, and will not trust the JWS headers. So I think we're okay on that front. Let me know if I'm wrong. On the other hand, I IIRC the request I got for |
Beta Was this translation helpful? Give feedback.
-
I've confirmed that #381 fixes the issue with the header algorithm being used for verification. Thanks! |
Beta Was this translation helpful? Give feedback.
-
It seems that
jwt.Parse
along with theWithKeySet
option ends up usingjws.Verify
in conjunction with the header algorithm (by way ofjwt.lookupMatchingKey
), instead ofjws.VerifySet
, which would use/require the key's algorithm. Given that the header algorithm is generally considered to be untrusted, would it make sense to havejwt.lookupMatchingKey
return the key's defined algorithm, perhaps falling back to the header algorithm if not defined? Unfortunately, that's potentially a breaking change in cases where callers were inadvertently using the header algorithm with a different, compatible algorithm defined on the key.For my usage, I can likely just fetch the key from the keyset manually and use
WithVerify(key.Algorithm(), key)
, but it seemed odd thatWithKeySet
behaves differently with regard to the algorithm than going throughVerifySet
.Beta Was this translation helpful? Give feedback.
All reactions