Skip to content

Unmarshal jwk keys with unsupported key type or algorithm into empty … #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jsha merged 2 commits into from
Jun 18, 2024
Merged

Unmarshal jwk keys with unsupported key type or algorithm into empty … #26

jsha merged 2 commits into from
Jun 18, 2024

Conversation

@samiponkanenssh
Copy link
Contributor

@samiponkanenssh samiponkanenssh commented Jan 18, 2023

Unmarshal jwk keys with unsupported key type or algorithm into empty JSONWebKeys. Ignore invalid jwk keys when unmarshalling jwks key sets.

@samiponkanenssh
Unmarshal jwk keys with unsupported key type or algorithm into empty …
f2c4acb 
…JSONWebKeys. Ignore invalid jwk keys when unmarshalling jwks key sets.
@samiponkanenssh
Copy link
Contributor Author

samiponkanenssh commented Jan 18, 2023

Fixes #25

@bluecmd bluecmd mentioned this pull request Apr 7, 2023
Closed
jsha
jsha requested changes Nov 17, 2023
View reviewed changes
Copy link
Collaborator

@jsha jsha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this!

By my read of the RFC, the SHOULD only applies to keys within a JWK Set. If there's a solo key and the implementation doesn't understand it, there's no SHOULD to accept it.

I think the right approach here is to return a sentinel error for "unknown key type" from JSONWebKey.UnmarshalJSON(). Then in JSONWebKeySet.UnmarshalJSON() we can look for that sentinel error and not add the key to the list when it happens (but also not error out the whole parse).

@samiponkanenssh
Copy link
Contributor Author

samiponkanenssh commented Nov 17, 2023

Thanks for working on this!

By my read of the RFC, the SHOULD only applies to keys within a JWK Set. If there's a solo key and the implementation doesn't understand it, there's no SHOULD to accept it.

I think the right approach here is to return a sentinel error for "unknown key type" from JSONWebKey.UnmarshalJSON(). Then in JSONWebKeySet.UnmarshalJSON() we can look for that sentinel error and not add the key to the list when it happens (but also not error out the whole parse).

Yes, that approach sounds like doing the same job. Maybe that is a better and clearer solution too.

@samiponkanenssh
Return errUnsupportedJWK when jwk key unmarshal fails because of unkn…
780221e 
…own jwk key type or parameters. Check for this error when unmarshalling jwks key sets.
@samiponkanenssh samiponkanenssh requested a review from jsha December 1, 2023 07:50
@lwj5
Copy link

lwj5 commented May 10, 2024
edited
Loading

Is there any blocker for this PR? I've a similar case to #59 (comment) where the OIDC conformance suite is failing due to the inability to handle unknown key types

Is there any way that I can help to move forward this PR?

@haleystorm
Copy link

haleystorm commented Jun 7, 2024

Is there any blocker for this PR? I've a similar case to #59 (comment) where the OIDC conformance suite is failing due to the inability to handle unknown key types

Is there any way that I can help to move forward this PR?

Is anyone actively working on this fix? Sounds like a good solution has been proposed but it is unclear the status. Thanks!

@samiponkanenssh
Copy link
Contributor Author

samiponkanenssh commented Jun 10, 2024

Is there any blocker for this PR? I've a similar case to #59 (comment) where the OIDC conformance suite is failing due to the inability to handle unknown key types
Is there any way that I can help to move forward this PR?

Is anyone actively working on this fix? Sounds like a good solution has been proposed but it is unclear the status. Thanks!

I hope this is not blocked because of me (the author). If there's still something I need to do, then please advice. Thanks!

jsha
jsha approved these changes Jun 18, 2024
View reviewed changes
Copy link
Collaborator

@jsha jsha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great. Thanks for the fix, and apologies for letting it linger so long. I have one proposed improvement below.

jwk.go
return err
}
} else {
s.Keys = append(s.Keys, k)
Copy link
Collaborator

@jsha jsha Jun 18, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The docs for Unmarshal say:

To unmarshal a JSON array into a slice, Unmarshal resets the slice length to zero and then appends each element to the slice.

We should do the same here, resetting s.Keys to zero length just in case we wind up unmarshaling into a pre-existing JSONWebKeySet.

@jsha
Copy link
Collaborator

jsha commented Jun 18, 2024

I'm going to merge this and send a followup PR with the proposed improvement.

@jsha jsha merged commit 3e2bbef into go-jose:v3 Jun 18, 2024
jsha pushed a commit that referenced this pull request Jun 18, 2024
@samiponkanenssh @jsha
Unmarshal jwk keys with unsupported key type or algorithm into empty … (
0a0f745 
#26)

Unmarshal JWKs with unsupported key type or algorithm into empty
JSONWebKeys. Ignore invalid JWKs when unmarshalling JWK Sets.
@jsha jsha mentioned this pull request Jun 18, 2024
Merged
jsha added a commit that referenced this pull request Jun 18, 2024
@jsha
Revert "Unmarshal jwk keys with unsupported key type or algorithm int…
aa74dbf 
…o empty … (#26)"

This reverts commit 3e2bbef.
@jsha jsha mentioned this pull request Jun 18, 2024
Merged
jsha added a commit that referenced this pull request Jun 18, 2024
@jsha
Revert #26 (ignore unsupported JWKs in Sets) (#131)
0f017e9 
This reverts commit 3e2bbef, "Unmarshal
jwk keys with unsupported key type or algorithm into empty ... (#26)"

I accidentally merged that PR into v3, but per our README, the v3 branch
is getting security updates but not functionality updates.
martij19 pushed a commit to martij19/go-jose that referenced this pull request Jul 8, 2024
@samiponkanenssh @martij19
Unmarshal jwk keys with unsupported key type or algorithm into empty … (
c1831fe 
go-jose#26)

Unmarshal JWKs with unsupported key type or algorithm into empty
JSONWebKeys. Ignore invalid JWKs when unmarshalling JWK Sets.
@mcpherrinm mcpherrinm mentioned this pull request Feb 26, 2025
Merged
jsha pushed a commit that referenced this pull request Jul 17, 2025
@fprojetto
jwk: JSONWebKey.UnmarshalJSON can return ErrUnsupportedKeyType (#191)
e2cde04 
Ultimately we want to ignore unsupported key types in JSONWebKeySets
(#26 / #130), but we are blocked on doing a breaking change release.
In the meantime, we can have JSONWebKey (the singular version)
return ErrUnsupportedKeyType.

This allows users to write their own JWKS umarshalling method to
ignore unsupported key types, eg.
https://github.com/zitadel/oidc/blob/045b59e5a55be97ba180fdaae96fb66302a03353/pkg/client/rp/jwks.go#L221-L235.
@jsha jsha mentioned this pull request Jul 18, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsha jsha jsha approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@samiponkanenssh @lwj5 @haleystorm @jsha