fix(auth): pass alg to importJWK for jose v6 compatibility with Auth0…#1097
Open
cameron-michie wants to merge 1 commit into
Open
fix(auth): pass alg to importJWK for jose v6 compatibility with Auth0…#1097cameron-michie wants to merge 1 commit into
cameron-michie wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Pull request overview
Adjusts JWT verification key import to be compatible with jose v6 when consuming JWKS entries (notably from Auth0) that may omit algorithm metadata, by passing the token header algorithm into importJWK.
Changes:
- Pass
header.algintoimportJWKwhen importing an asymmetric JWK for verification.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
90
to
94
| // couldn't find a matching JWK, try to use the secret | ||
| return encoder.encode(secret) | ||
| } | ||
| return await importJWK(jwk) | ||
| return await importJWK(jwk, header.alg) | ||
| } |
Coverage Report for CI Build 25672082097Coverage increased (+0.03%) to 74.29%Details
Uncovered ChangesNo uncovered changes found. Coverage RegressionsNo coverage regressions found. Coverage Stats
💛 - Coveralls |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug fix
What is the current behavior?
Any authenticated Storage request fails with HTTP 403 when the configured JWKS contains RSA keys that omit the
"alg"field.The error thrown is from here:
"alg" argument is required when "jwk.alg" is not presentjose v6 removed algorithm inference from
importJWK(). It now requires eitherjwk.algto be set on the key object, or the algorithm passed explicitly as the second argument. Storage was callingimportJWK(jwk)without either, causing jose to throw before the key could be imported.What is the new behavior?
importJWKis called asimportJWK(jwk, header.alg)Additional context
n/a