Honour the kid field in JWT if present.

969354e9 · Juliusz Chroboczek · 6c019253 · 969354e9 · 969354e9 · 969354e9
Commit 969354e9 authored May 11, 2024 by Juliusz Chroboczek
Hide whitespace changes
Inline Side-by-side

Showing with 18 additions and 9 deletions

README README +3 -2

group/description.go group/description.go +1 -1

token/jwt.go token/jwt.go +14 -6

No files found.
--- a/README
+++ b/README
@@ -319,8 +319,9 @@ specify either an authorisation server or an authorisation portal.
        "authServer": "https://auth.example.org",
    }

-If multiple keys are provided, then they will all be tried in turn (the
-kid field, if provided, is ignored).
+If multiple keys are provided, then they will all be tried in turn, unless
+the token includes the "kid" header field, in which case only the
+specified key will be used.

 If an authorisation server is specified, then the default client, after it
 prompts for a password, will request a token from the authorisation server

--- a/group/description.go
+++ b/group/description.go
@@ -581,7 +581,7 @@ func SetWildcardUser(group string, user *UserDescription) error {

 func SetKeys(group string, keys []map[string]any) error {
 	if keys != nil {
-		_, err := token.ParseKeys(keys)
+		_, err := token.ParseKeys(keys, "")
 		if err != nil {
 			return err
 		}

--- a/token/jwt.go
+++ b/token/jwt.go
@@ -96,14 +96,18 @@ func ParseKey(key map[string]any) (any, error) {
 	}
 }

-func ParseKeys(keys []map[string]any) ([]jwt.VerificationKey, error) {
-	ks := make([]jwt.VerificationKey, len(keys))
-	for i, ky := range keys {
+func ParseKeys(keys []map[string]any, kid string) ([]jwt.VerificationKey, error) {
+	ks := make([]jwt.VerificationKey, 0, len(keys))
+	for _, ky := range keys {
+		// return all keys if kid is not specified
+		if kid != "" && ky["kid"] != kid {
+			continue
+		}
 		k, err := ParseKey(ky)
 		if err != nil {
 			return nil, err
 		}
-		ks[i] = k
+		ks = append(ks, k)
 	}
 	return ks, nil
 }
@@ -130,11 +134,15 @@ func toStringArray(a interface{}) ([]string, bool) {
 func parseJWT(token string, keys []map[string]any) (*JWT, error) {
 	t, err := jwt.Parse(
 		token,
-		func(t *jwt.Token) (interface{}, error) {
-			ks, err := ParseKeys(keys)
+		func(t *jwt.Token) (any, error) {
+			kid, _ := t.Header["kid"].(string)
+			ks, err := ParseKeys(keys, kid)
 			if err != nil {
 				return nil, err
 			}
+			if len(ks) == 1 {
+				return ks[0], nil
+			}
 			return jwt.VerificationKeySet{Keys: ks}, nil
 		},
 		jwt.WithExpirationRequired(),