Do not fail JSONWebKey.UnmarshalJSON() if jwks contains keys with unsupported algorithms
samiponkanenssh opened this issue · comments
It seems go-jose cannot unmarshal jwks key sets which contain keys with unsupported algorithms.
coreos/go-oidc uses go-jose to unmarshal jwks key sets fetched from a OIDC provider's jwks URL. This unmarshalling happens in https://github.com/coreos/go-oidc/blob/v3/oidc/jwks.go#L242 :
...
var keySet jose.JSONWebKeySet
err = unmarshalResp(resp, body, &keySet)
if err != nil {
return nil, fmt.Errorf("oidc: failed to decode keys: %v %s", err, body)
}
return keySet.Keys, nil
And in https://github.com/coreos/go-oidc/blob/a8ceb9a2043fca2e43518633920db746808b1138/oidc/oidc.go#L511 :
func unmarshalResp(r *http.Response, body []byte, v interface{}) error {
err := json.Unmarshal(body, &v)
if err == nil {
return nil
}
ct := r.Header.Get("Content-Type")
mediaType, _, parseErr := mime.ParseMediaType(ct)
if parseErr == nil && mediaType == "application/json" {
return fmt.Errorf("got Content-Type = application/json, but could not unmarshal as JSON: %v", err)
}
return fmt.Errorf("expected Content-Type = application/json, got %q: %v", ct, err)
}
If the jwks contains keys with unknown / unsupported algorithms, this unmarshalling fails for the whole jwks key set.
One such unsupported jwk algorithm seen in real world is the "kty": "OKP" with "crv": "X25519", as in:
{"kty": "OKP", "use": "enc", "crv": "X25519", "kid": "...", "x": "..."}
Could go-jose unmarshal such unsupported jwk keys into JSONWebKey structures for which JSONWebKey.Valid() would return false? This way upper layers could filter out invalid jwk keys from the jwks key set.
Ran into the same issue. Used your commit. Thanks @samiponkanenssh