Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow JWT::decode to accept an empty string as a valid kid #581

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Allow JWT::decode to accept an empty string as a valid kid #581

wants to merge 1 commit into from

Conversation

ryanneufeld
Copy link

There are instances when using CachedKeySet where a key is returned with an empty string as the kid. This is a valid use case and should be allowed.

For example Teleport Proxy uses this pattern to allow for a default key.

{
    "keys": [
        {
            "kty": "RSA",
            "alg": "RS256",
            "n": "<redacted>",
            "e": "AQAB",
            "use": "sig",
            "kid": ""
        }
    ]
}

Newer versions of teleport also return:

{
    "keys": [
        {
            "kty": "RSA",
            "alg": "RS256",
            "n": "<same key redacted>",
            "e": "AQAB",
            "use": "sig",
            "kid": "<redacted kid>"
        },
        {
            "kty": "RSA",
            "alg": "RS256",
            "n": "<same key redacted>",
            "e": "AQAB",
            "use": "sig",
            "kid": ""
        }
    ]
}

The getKey method can be simplified, as well as refactored to follow the same pattern as the CachedKeySet class which casts null kids to an empty string.

This change also adds a test to ensure that an empty string kid is a valid kid.

@google-cla Google CLA
Copy link

google-cla bot commented Oct 23, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@ryanneufeld @rneufeldcisco
Allow JWT::decode to accept an empty string as a valid kid
993a11c 
There are instances when using CachedKeySet where a key is returned with an empty string as the kid.
This is a valid use case and should be allowed.

For example Teleport Proxy uses this pattern to allow for a default key.

The getKey method can be simplified, as well as refactored to follow the same pattern as
the CachedKeySet class which casts null kids to an empty string.

This change also adds a test to ensure that an empty string kid is a valid kid.
@rneufeldcisco rneufeldcisco force-pushed the Allow-empty-string-kid-as-valid-kid branch from a09f76f to 993a11c Compare October 23, 2024 20:00
@ryanneufeld
Copy link
Author

I've signed the CCA, is there anyone who has time to review this?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@ryanneufeld