cosmo
cosmo copied to clipboard
wundergraph
Router - Allow authentification of JWT Tokens lacking KID
Component(s)
router
Is your feature request related to a problem? Please describe.
When authenticating a JWT token without a kid (Key ID) against a JWKS, we encounter the following error:
failed keyfunc: could not find kid in JWT header
This behavior is expected because the keyfunc library currently does not support tokens that lack a kid. Reference: MicahParks/keyfunc#127
This is related to the following config.yaml configuration : authentication: jwt: jwks: - url: "https://xxx.com/auth/realms/xxxx/protocol/openid-connect/certs" refresh_interval: 1m
As example the following token :
eyJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiakRkbDdSUXdVT24xVE5hX0NtTi1vdyIsInN1YiI6InVzZXItc3ViamVjdC0xMjM0NTMxIiwiYXVkIjoiZGVmYXVsdCIsImlzcyI6Imh0dHBzOi8vd3d3LmNlcnRpZmljYXRpb24ub3BlbmlkLm5ldC90ZXN0LzJvNGhZdDU3UU1zTmx4UC8iLCJleHAiOjE3MjYxMTkyNjksImlhdCI6MTcyNjExODk2OX0.DAIgDtaglNDTnU8QC-UmqARiO0QG1EzxIo1Krv_EUv9ZHYj5qG1rVrlWPTkhqO0Azw3j3_jK4J1h9VvzeH6_AxtCs-dV9wLBDL_gogDywh-skYYZ_WihvLeSmfHoP-fl8NQxZRJ118Nu3EOcxor85RaeKp3FrTpEqOG94yhgSZ-4mN-jJlN_e1jSetE76gRVlsEp_UP4l6c3DXXZ4-d7y5NqO1Rv93KpFwiC22CBy9Iu2lOkqfPIF4aHdjBxgN8BZGMysWO0DbSqE3fLFD51FzP5NkNvveqV3XPLI9eLMyK7kWswLIcgeFtL7xkv8krw4TLBUBcugcLfgcGAZdtc-w
Should be validated against the following jwks :
{
"keys": [
{
"kty": "RSA",
"e": "AQAB",
"use": "sig",
"n": "uukX5Yo8pM4nFFSQ4ZdinfAnm2cxPDnEeMgTW39Mn_WBUUuP9OkxgJEfCc-_le963N36bpv14fb830eBS2Weld7UhYQQFx48bhBd6OY8NRZJV7Dg1Ub0YdXwfgKPkdbBZLbCpu3FK_KY5aXJKn8nTY-64s37fl91AOlYB2Q-0Q2D1NweRsH-mP5RV9gMG6q5tNhLmbCfDiL2vV2KVMUq2LsoGKF-f5ZzmVlHGy6UDgkC3BH0N7o5nJh_0iyXBieORtFb6TPP3pw-ER9QSLVhLfTUrnXTlhqyAsToaHXstX66JJaZQ_WjqCtiKhLr22809OPOE59g6TKHp6d2ea-saw"
},
{
"kty": "EC",
"use": "sig",
"crv": "P-256",
"x": "4u93KgJZgf1ISOCLSEXTq4GKrwM7hdnkP2m1eQsnHaY",
"y": "xs1zTvc3yyCIGeWq3poV-T9DqqteP4d5CVTc04qJna0"
},
{
"kty": "EC",
"use": "sig",
"crv": "secp256k1",
"x": "76uOYhPihVpUp2OodREkQZD3pyGKeEzAefzuWGyAPxg",
"y": "y54_2iPVOUScCYsG81_H-dD-ToSeR8_z0U9aKNkC6Ug"
},
{
"kty": "OKP",
"use": "sig",
"crv": "Ed25519",
"x": "Lf5MH_DJG5UfEDyi5g9VPZ6OAFzhsXUU7qiItvJgpcM"
},
{
"kty": "RSA",
"e": "AQAB",
"use": "enc",
"kid": "371cd27d-a43d-43df-aee0-1de48680307f",
"alg": "RSA-OAEP",
"n": "xHudfO1LjEUCx-cpvm4d9bIYRnjuW5lEQSpN0OgvwgDjeu1tludfUGd6hvvH8Qyhtti_GTdz2g5x5Iq3hSd9vcv-VlYR18PHTFuaGisxXwPyqG6qnxL6KizuyXMrkLHXkCP-e_gSN-CTcy7jdGNiYsafnkvSaY87Y_bk4B-tHnmiy750NYpMszp2su64BtzD-qFRkfcFawWbbtOIq1iIyCvE3eMg4Phu5GTK3JQLC-iKTl-yRNN_vUd0CvpBRud6X7JuxGCwV_n2yUy5PTYMJwYWEeDoZu55l2VCVK9vDddDVEp72V3mrrq1DMXMNAD_zCbQjV2iJJFFLsVMa4JYLw"
},
{
"kty": "EC",
"use": "enc",
"crv": "P-256",
"kid": "487710c5-e29f-4f8b-a97e-1f9505c756e6",
"x": "JuU4Z3N1v6bMyk_a3f1D9_xYbEoysjcEZxFJbfCvkvk",
"y": "OxuXJZY0dxCRPw6_BAGmmUrK0n6kO5OVep258M5I59Q",
"alg": "ECDH-ES"
}
]
}
Describe the solution you'd like
In the release 3.5.0 of MicahParks/keyfunc ,there is a way to return all keys for JWT signature verification using jwt.VerificationKeySet.
If there is no kid, maybe use the kty (the signing algorithm) and use (encryption or signing) to find the right key in the set for validation. Any other way would work for us.
Describe alternatives you've considered
No response
Additional context
We have request with JWT token with kid and others without, the router needs to authenticate both.
