oidc icon indicating copy to clipboard operation
oidc copied to clipboard
verified publisher icon zitadel

Do not ignore all JWKS parsing errors

Open morigs opened this issue 1 year ago • 3 comments

Preflight Checklist

  • [X] I could not find a solution in the existing issues, docs, nor discussions
  • [ ] I have joined the ZITADEL chat

Describe your problem

Currently, jsonWebKeySet.UnmarshalJSON ignores all parsing errors. Comment says that this is done to ignore "unknown key types (kty)" but in fact it ignores all errors (for instance, invalid base64). This makes debugging such errors extremely hard

Describe your ideal solution

Returning error describing why key verification really failed instead of "missing keys". Or at least log occurring errors somewhere as warnings

Version

3.11.1

Environment

Self-hosted

Additional Context

No response

morigs avatar Feb 08 '24 07:02 morigs

Hey @morigs

Thanks for the issue. We'll look into it.

livio-a avatar Feb 12 '24 09:02 livio-a

Need to recheck if github.com/go-jose/go-jose/v4's latest release has an impact / would fix this

livio-a avatar Jul 10 '24 11:07 livio-a

@livio-a it seems that the error fix you were looking for got reverted upstream, because it became a breaking change: https://github.com/zitadel/oidc/pull/625

muhlemmer avatar Jul 29 '24 08:07 muhlemmer