Wrong algorithm name matching between JWT and Algorithm
samoylenkodmitry opened this issue · comments
Checklist
- I have looked into the Readme and Examples, and have not found a suitable solution or answer.
- I have looked into the API documentation and have not found a suitable solution or answer.
- I have searched the issues and have not found a suitable solution or answer.
- I have searched the Auth0 Community forums and have not found a suitable solution or answer.
- I agree to the terms within the Auth0 Code of Conduct.
Description
This is always false, as
jwt
contains strings like RS512
and expectedAlgorithm is like SHA512withRSA
private void verifyAlgorithm(DecodedJWT jwt, Algorithm expectedAlgorithm) throws AlgorithmMismatchException {
if (!expectedAlgorithm.getName().equals(jwt.getAlgorithm())) {
throw new AlgorithmMismatchException(
"The provided Algorithm doesn't match the one defined in the JWT's Header.");
}
}
The Ktor uses this code to match between them (https://github.com/ktorio/ktor/blob/d5ae8e5641dea582fbe5ebb52577e7bdad2f5ad8/ktor-server/ktor-server-plugins/ktor-server-auth-jwt/jvm/src/io/ktor/server/auth/jwt/JWTUtils.kt#L21):
internal fun Jwk.makeAlgorithm(): Algorithm = when (algorithm) {
"RS256" -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
"RS384" -> Algorithm.RSA384(publicKey as RSAPublicKey, null)
"RS512" -> Algorithm.RSA512(publicKey as RSAPublicKey, null)
"ES256" -> Algorithm.ECDSA256(publicKey as ECPublicKey, null)
"ES384" -> Algorithm.ECDSA384(publicKey as ECPublicKey, null)
"ES512" -> Algorithm.ECDSA512(publicKey as ECPublicKey, null)
null -> Algorithm.RSA256(publicKey as RSAPublicKey, null)
else -> throw IllegalArgumentException("Unsupported algorithm $algorithm")
}
Example of jwks.json
{
"keys": [
{
"alg": "RS512",
"kty": "RSA",
"e": "AQAB",
"kid": "shrtl.in_kid_1",
"n": "rRbu3b6NSr-cn3hTyXfRZCMEsvO5OOMFLix8pg6Zd8Ms9ku2XbadYZcMxSnXPn46U21mUd7ymGndbXkMjHga-a6wi8Qz3eH3g5IWe9N-_ukgxrYqJE5ObxTU0xAk5Sau7s4n66OfdCOJ2dPL0R-fcM3FOdpvDD8n34NLYFAFmQXjXM19xYlSjcQgW90p5NHfrl2pmFEOensf2dmJZ5I4AkqjoRu8lK-c4oP92n8Z0ldihi1wAbH9ZDGAHtiwP85xTr7KhkNYP7SyyMWVZQ2Z0A1ufKVNlgWsR6tjRdkuL_rcXPfjVdxYs5NEZbYPuud7c7hy2-ZNSXiGbqVQoZmrzwo"
}
]
}
Example of JWT
eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJpbi5zaHJ0bC5hcHAiLCJpc3MiOiJodHRwOi8vMC4wLjAuMDo4MDgwIiwidWlkIjo3fQ.mWz2BWSu9mGl6wTVr-cnVeKbemHy5s0DDe8VHqy12xt4mqXcEqY-OWWFuKt1Ahs0zHucZKLxfdTxRBB1jIf1otXNLOrOdkjfXVZK9Q5Kr4PujlCwUSw1dcOsnEmkGaviGmSbCmCMVu-waM2VzICpnPC0l4pHpdZeAv7XBKM75XLQIJE7bkHRXLtf1OLXe_pHHZEJN-RYruqpfWyn2iYaN_TbfQaSvTVaBV7wo8uGpM1NEXlw_utQFkV7hD9kXTKhtJnPiPLiherKxTqviGqxxit1EHDkV7Nxn15efnKtgH7rVGNOU9Xf6zbI4k9GvkNaHGeHXqB2-YxHKKwGhQUe3g
Reproduction
Use Ktor and try to set up JWT auth.
Additional context
No response
java-jwt version
com.auth0:java-jwt:4.4.0
Java version
java.runtime.version -> 21.0.2+13-jvmci-23.1-b30
My apologies, false claim, getName() return the correct name of "RS512".