search

awslabs / aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, and RS512
Apache License 2.0
598 stars 43 forks source link

Only verify for the JWK at hand, that it is a JWK intended for RSA signatures #70

Closed ottokruse closed 2 years ago

ottokruse commented 2 years ago

Issue #, if available: #68

Description of changes: Only verify for the JWK at hand, that it is a JWK intended for RSA signatures.

In other words: the complete JWKS may from this change onwards, also comprise non-RSA JWKs (e.g. for elliptic curve signatures). Previously, the inclusion of a non-RSA JWK in the JWKS would throw an error, even if that JWK was not used for the signature verification of the JWT at hand.

So the following (new) unit test now passes, where it would have failed before––because there's non-RSA JWKs in the JWKS, that triggered a JWK validation failure before:

https://github.com/awslabs/aws-jwt-verify/blob/752212b283fa395b6076569f59253f9fbab2d90c/tests/unit/jwt-rsa.test.ts#L104-L132

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

ottokruse commented 2 years ago

Thanks @leelalagudu @hakanson wanna have a peek at this one?

hakanson commented 2 years ago

I just had the one comment/question above related to new Errors in error.ts, otherwise LGTM

hakanson commented 2 years ago

I did another pass through the code - still looks good and findJwkInJwks does make things more readable.