Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Library forces presence of optional "use" field in JWKS key #87

Closed
CaerusKaru opened this issue Sep 10, 2022 · 4 comments · Fixed by #164
Closed

[BUG] Library forces presence of optional "use" field in JWKS key #87

CaerusKaru opened this issue Sep 10, 2022 · 4 comments · Fixed by #164
Labels
bug Something isn't working

Comments

@CaerusKaru
Copy link

Describe the bug
If you have a JWKS with a key without the use field, the library will throw and error because it is missing. This violates the spec on this, which states that Use of the "use" member is OPTIONAL, unless the application requires its presence., which I believe means this should not be on the library side to enforce, and should be optional on the part of app owners.

Versions
Which version of aws-jwt-verify are you using? 3.1.0
Are you using the library in Node.js or in the Web browser? NodeJS
If Node.js, which version of Node.js are you using? (Should be at least 14) 16
If Web browser, which web browser and which version of it are you using? N/A
If using TypeScript, which version of TypeScript are you using? (Should be at least 4) 4.7.4

To Reproduce
If you can, please provide a minimal code example that reproduces the bug.

I am an Amazon employee, using Amazon JWKS provides, so please DM me internally for a reproduction of my exact case. Otherwise, simply refer to the unit tests for the library, which cover this case explicitly.
@CaerusKaru CaerusKaru added the bug Something isn't working label Sep 10, 2022
@ottokruse
Copy link
Contributor

ottokruse commented Sep 12, 2022
edited
Loading

Thanks for the message, we'll consider this and reach out to you.

A work around, might you be interested:

import { SimpleJwksCache } from "aws-jwt-verify/jwk";

class CustomJwksCache extends SimpleJwksCache {
    async getJwks(jwksUri: string) {
        return super.getJwks(jwksUri).then(jwks => {
            jwks.keys.forEach(jwk => jwk.use = "sig");
            return jwks;
        })
    }
}

const verifier = CognitoJwtVerifier.create({
    ...config
}, {
    jwksCache: new CustomJwksCache()
});

@CaerusKaru
Copy link
Author

Way ahead of you on the workaround (works perfectly), but thanks for posting that here, in case someone else needs it. I would've posted mine, but again, internal stuff 😄

@ottokruse
Copy link
Contributor

Can't locate you to DM you @CaerusKaru Please share your alias or ping me?

@ottokruse
Copy link
Contributor

Status: agreed that we should make the check on the use field optional; only if the field is there, should we check its value is sig.

Asked @CaerusKaru if he'd be interested to create a PR for this

@ottokruse ottokruse mentioned this issue Jul 1, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support for ES256/ES384/ES512 ottokruse/aws-jwt-verify
2 participants
@CaerusKaru @ottokruse