aws-jwt-verify icon indicating copy to clipboard operation
aws-jwt-verify copied to clipboard

Published 20 hours ago verified publisher icon awslabs

[BUG] Library forces presence of optional "use" field in JWKS key

Open CaerusKaru opened this issue 2 years ago • 4 comments

Describe the bug If you have a JWKS with a key without the use field, the library will throw and error because it is missing. This violates the spec on this, which states that Use of the "use" member is OPTIONAL, unless the application requires its presence., which I believe means this should not be on the library side to enforce, and should be optional on the part of app owners.

Versions Which version of aws-jwt-verify are you using? 3.1.0 Are you using the library in Node.js or in the Web browser? NodeJS If Node.js, which version of Node.js are you using? (Should be at least 14) 16 If Web browser, which web browser and which version of it are you using? N/A If using TypeScript, which version of TypeScript are you using? (Should be at least 4) 4.7.4

To Reproduce If you can, please provide a minimal code example that reproduces the bug.

I am an Amazon employee, using Amazon JWKS provides, so please DM me internally for a reproduction of my exact case. Otherwise, simply refer to the unit tests for the library, which cover this case explicitly.

CaerusKaru avatar Sep 10 '22 21:09 CaerusKaru

Thanks for the message, we'll consider this and reach out to you.

A work around, might you be interested:

import { SimpleJwksCache } from "aws-jwt-verify/jwk";

class CustomJwksCache extends SimpleJwksCache {
    async getJwks(jwksUri: string) {
        return super.getJwks(jwksUri).then(jwks => {
            jwks.keys.forEach(jwk => jwk.use = "sig");
            return jwks;
        })
    }
}

const verifier = CognitoJwtVerifier.create({
    ...config
}, {
    jwksCache: new CustomJwksCache()
});

ottokruse avatar Sep 12 '22 08:09 ottokruse

Way ahead of you on the workaround (works perfectly), but thanks for posting that here, in case someone else needs it. I would've posted mine, but again, internal stuff 😄

CaerusKaru avatar Sep 12 '22 08:09 CaerusKaru

Can't locate you to DM you @CaerusKaru Please share your alias or ping me?

ottokruse avatar Sep 21 '22 09:09 ottokruse

Status: agreed that we should make the check on the use field optional; only if the field is there, should we check its value is sig.

Asked @CaerusKaru if he'd be interested to create a PR for this

ottokruse avatar Oct 12 '22 07:10 ottokruse