Giters

auth0 / java-jwt

Java implementation of JSON Web Token (JWT)

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Wrong algorithm name matching between JWT and Algorithm

samoylenkodmitry opened this issue · comments

commented

Checklist

  • I have looked into the Readme and Examples, and have not found a suitable solution or answer.
  • I have looked into the API documentation and have not found a suitable solution or answer.
  • I have searched the issues and have not found a suitable solution or answer.
  • I have searched the Auth0 Community forums and have not found a suitable solution or answer.
  • I agree to the terms within the Auth0 Code of Conduct.

Description

java-jwt/lib/src/main/java/com/auth0/jwt/JWTVerifier.java

Line 475 in d97f4e6

private void verifyAlgorithm(DecodedJWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException {

This is always false, as jwt contains strings like RS512 and expectedAlgorithm is like SHA512withRSA

    private void verifyAlgorithm(DecodedJWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException {
        if (!expectedAlgorithm.getName().equals(jwt.getAlgorithm())) {
            throw new AlgorithmMismatchException(
                    "The provided Algorithm doesn't match the one defined in the JWT's Header.");
        }
    }

The Ktor uses this code to match between them (https://github.com/ktorio/ktor/blob/d5ae8e5641dea582fbe5ebb52577e7bdad2f5ad8/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTUtils.kt#L21):

internal fun Jwk.makeAlgorithm(): Algorithm = when (algorithm) {
    "RS256" -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
    "RS384" -> Algorithm.RSA384(publicKey as RSAPublicKey, null)
    "RS512" -> Algorithm.RSA512(publicKey as RSAPublicKey, null)
    "ES256" -> Algorithm.ECDSA256(publicKey as ECPublicKey, null)
    "ES384" -> Algorithm.ECDSA384(publicKey as ECPublicKey, null)
    "ES512" -> Algorithm.ECDSA512(publicKey as ECPublicKey, null)
    null -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
    else -> throw IllegalArgumentException("Unsupported algorithm $algorithm")
}

Example of jwks.json

{
  "keys": [
    {
      "alg": "RS512",
      "kty": "RSA",
      "e": "AQAB",
      "kid": "shrtl.in_kid_1",
      "n": "rRbu3b6NSr-cn3hTyXfRZCMEsvO5OOMFLix8pg6Zd8Ms9ku2XbadYZcMxSnXPn46U21mUd7ymGndbXkMjHga-a6wi8Qz3eH3g5IWe9N-_ukgxrYqJE5ObxTU0xAk5Sau7s4n66OfdCOJ2dPL0R-fcM3FOdpvDD8n34NLYFAFmQXjXM19xYlSjcQgW90p5NHfrl2pmFEOensf2dmJZ5I4AkqjoRu8lK-c4oP92n8Z0ldihi1wAbH9ZDGAHtiwP85xTr7KhkNYP7SyyMWVZQ2Z0A1ufKVNlgWsR6tjRdkuL_rcXPfjVdxYs5NEZbYPuud7c7hy2-ZNSXiGbqVQoZmrzwo"
    }
  ]
}

Example of JWT

eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJpbi5zaHJ0bC5hcHAiLCJpc3MiOiJodHRwOi8vMC4wLjAuMDo4MDgwIiwidWlkIjo3fQ.mWz2BWSu9mGl6wTVr-cnVeKbemHy5s0DDe8VHqy12xt4mqXcEqY-OWWFuKt1Ahs0zHucZKLxfdTxRBB1jIf1otXNLOrOdkjfXVZK9Q5Kr4PujlCwUSw1dcOsnEmkGaviGmSbCmCMVu-waM2VzICpnPC0l4pHpdZeAv7XBKM75XLQIJE7bkHRXLtf1OLXe_pHHZEJN-RYruqpfWyn2iYaN_TbfQaSvTVaBV7wo8uGpM1NEXlw_utQFkV7hD9kXTKhtJnPiPLiherKxTqviGqxxit1EHDkV7Nxn15efnKtgH7rVGNOU9Xf6zbI4k9GvkNaHGeHXqB2-YxHKKwGhQUe3g

check JWT

Reproduction

Use Ktor and try to set up JWT auth.

Additional context

No response

java-jwt version

com.auth0:java-jwt:4.4.0

Java version

java.runtime.version -> 21.0.2+13-jvmci-23.1-b30

commented

My apologies, false claim, getName() return the correct name of "RS512".