Closed ksegun closed 3 days ago
@ksegun thank you for opening this issue. If you are comfortable sharing, is the JWK Set from a custom written application or a SaaS provider like AWS or Azure?
@MicahParks the JWK Set is from a custom written application.
@ksegun in that case I'll let you know it seems a bit odd that a certificate thumbprint x5t
is present but the certificate itself x5c
or x5u
is not. It may possibly be a bug in the service that creates the JWK Set.
Regardless, it seems the RFC does not specifically mention that a certificate must be present for a thumbprint to be included. Therefore, I'm writing a patch for the jwkset
project and will increment the version this project, keyfunc
, uses and notify you of a release. I'm hoping to get that out in the next hour or so.
@ksegun the newest version of the keyfunc
project v3.3.5
should have the bug fix you need.
go get github.com/MicahParks/keyfunc/v3@v3.3.5
Please let me know if this resolves your issue or not.
@MicahParks thanks for the rapid response, I can confirm the latest version fixes the issue. I will follow up with the team that owns the application about this issue as well so they can do something about it. Thank you so much, I am simply blown away!
We encountered the following issue when migrating to v3. When the JWK Set contains a JWK with x5t and no x5c it fails with the error below. The same payload did not fail prior to v3.
Failed to refresh HTTP JWK Set from remote HTTP resource. error="failed to create JWK from JWK Marshal: failed to validate JSON Web Key: failed to validate JWK: X5T in marshal does not match X5T in marshalled" url=http://127.0.0.1:62343
Here is a sample that demonstrates the issue.