aws-jwt-verify icon indicating copy to clipboard operation
aws-jwt-verify copied to clipboard
verified publisher icon awslabs

[BUG] JwtRsaVerifier throws an error for JWTs that have no `iss` field: `error: Missing Issuer. Expected: null`

Open ottokruse opened this issue 1 year ago • 2 comments

Describe the bug The JwtRsaVerifier throws an error for JWTs that have no iss field: error: Missing Issuer. Expected: null

But iss is an optional field. And in this case I am creating the verifier like so, setting issuer to null to signal that I don't want to check it:

const verifier = JwtRsaVerifier.create({
  issuer: null,
  audience: null,
  jwksUri: "<my uri>",
  customJwtCheck: ({ payload }) => {
    // my implementation
  },
});

It looks like the error is, that the JWK caching mechanism is based on iss (makes sense in principle) but cannot handle missing iss: https://github.com/awslabs/aws-jwt-verify/blob/8bb9b6e4be7b9186a279a35ca82cbbed70405f55/src/jwt-rsa.ts#L647

Versions Which version of aws-jwt-verify are you using? 4.0.1 Are you using the library in Node.js or in the Web browser? Node.js If Node.js, which version of Node.js are you using? (Should be at least 16) 20 If Web browser, which web browser and which version of it are you using? N/A If using TypeScript, which version of TypeScript are you using? (Should be at least 4) High enough

To Reproduce If you can, please provide a minimal code example that reproduces the bug.

ottokruse avatar Oct 17 '24 12:10 ottokruse

This doesn't even compile right now:

image image

ottokruse avatar Oct 17 '24 12:10 ottokruse

Maybe it is by design that issuer is mandatory for the JwtRsaVerifier, would have to dig in the code and my memory ...

ottokruse avatar Oct 17 '24 12:10 ottokruse

Concluding that this is not a "bug" per se but a consequence of design decisions made while building the JwtRsaVerifier.

ottokruse avatar Jan 02 '25 16:01 ottokruse