Closed rdfield closed 3 years ago
When supplying a kid_keys lists with the format:
my $keylist = { keys => [ { kid=>"key1", kty=>"RSA", alg => "RS256", n => "...", ... }, { kid=>"key2", kty=>"RSA", alg => "RS256", n => "...", ... }, ] };
my $payload = decode_jwt(token=>$t, kid_keys=>$keylist);
and the token is signed with the PS256 (an OIDC FAPI requirement) the signature check fails with " key type 'RSA' cannot be used with alg 'PS256' ".
Changing the line
return $found if $found->{kty} eq 'RSA' && $alg =~ /^RS/;
to
return $found if $found->{kty} eq 'RSA' && $alg =~ /^(RS|PS)/;
in _kid_lookup fixes the issue.
When supplying a kid_keys lists with the format:
my $keylist = { keys => [ { kid=>"key1", kty=>"RSA", alg => "RS256", n => "...", ... }, { kid=>"key2", kty=>"RSA", alg => "RS256", n => "...", ... }, ] };
my $payload = decode_jwt(token=>$t, kid_keys=>$keylist);
and the token is signed with the PS256 (an OIDC FAPI requirement) the signature check fails with " key type 'RSA' cannot be used with alg 'PS256' ".
Changing the line
return $found if $found->{kty} eq 'RSA' && $alg =~ /^RS/;
to
return $found if $found->{kty} eq 'RSA' && $alg =~ /^(RS|PS)/;
in _kid_lookup fixes the issue.