mpdavis
Problem validating JWK in JWT with diverse keyset (from PingFederate)
jose.exceptions.JWKError: Incorrect key type. Expected: 'oct', Received: EC
(happening in the CryptographyHMACKey class)
If I understand what is happening correctly, the key-type is taken from the header of the JWT, and then all the keys in the keyset are interpreted as having that type, so instead of just not trying to verify against a key with the wrong key-type, it fails to create an instance of the key class because the key type is wrong.
In the case I'm dealing with, the access token has "alg":"RS256", and the key in the keyset that is presumably causing the problem is the first one in the keyset.
{
'kty': 'EC',
'kid': '6YcVg_ciCcvEltWw7pkG-Yh-L9Y',
'use': 'sig',
'alg': 'ES256',
'x': 'IAOxVJ-BSmWAmZGeJAjqhSt2mteTVQ0coADcgwcmMto',
'y': 'Iu8w99W6Fihn0QEOnmWPUpc2XHW82xKRu-q_w_Xh61M',
'crv': 'P-256'
}
Furthermore, it looks like that were patched, there would still be a problem because many of the keys in the keyset that comes from the PingFederate server have key type and no algorithm, which seems to be perfectly valid, but jwk.construct will raise an exception if no algorithm value is found in a key.
See https://datatracker.ietf.org/doc/html/rfc7517#page-5 . The example has no alg, so that seems to be a normal kind of thing.
Maybe I'm missing something?
Of course, one thing that makes me think I might be missing something is that no key in the keyset has either "alg":"RS256" or "kty":"oct". Maybe if one did, then the code I'm describing issues with would not have been reached? I don't see any evidence of that in the code though.
