ory
Should the JWK "use" parameter be optional?
Preflight checklist
- [x] I could not find a solution in the existing issues, docs, nor discussions.
- [x] I agree to follow this project's Code of Conduct.
- [x] I have read and am following this repository's Contribution Guidelines.
- [ ] I have joined the Ory Community Slack.
- [ ] I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe your problem
Counterpart to https://github.com/likeandscribe/frontpage/issues/237:
When using "private_key_jwt" authentication, Fosite refuses to accept keys which don't have "use": "sig".
RFC7517 states
Use of the "use" member is OPTIONAL, unless the application requires its presence.
Should there be a way to disable this check?
Describe your ideal solution
A way to disable this check; perhaps a way to customise the search for public keys without having to override the whole of DefaultClientAuthenticationStrategy().
Workarounds or alternatives
Adding the "use" parameter to frontpage.fyi's key, per https://github.com/likeandscribe/frontpage/issues/237
Version
v0.46.1
Additional Context
No response
This is configurable. Just copy the strategy and make the adjustments you want then assign it appropriately.
Just copy the strategy
Yes, this is possible, but it doesn't seem ideal to have to make a local copy of >300 lines of code purely to make one small adjustment to it.
Mostly it does exactly what I want, so I think it would be far better to be able to "fine-tune" it rather than having to copy it wholesale and subsequently keep it up to date if/when it changes upstream.