search

awslabs / aws-jwt-verify

JS library for verifying JWTs signed by Amazon Cognito, and any OIDC-compatible IDP that signs JWTs with RS256, RS384, RS512, ES256, ES384, and ES512
Apache License 2.0
621 stars 44 forks source link

[BUG] Library forces presence of optional "use" field in JWKS key #87

Closed CaerusKaru closed 2 months ago

CaerusKaru commented 2 years ago

Describe the bug If you have a JWKS with a key without the use field, the library will throw and error because it is missing. This violates the spec on this, which states that Use of the "use" member is OPTIONAL, unless the application requires its presence., which I believe means this should not be on the library side to enforce, and should be optional on the part of app owners.

Versions Which version of aws-jwt-verify are you using? 3.1.0 Are you using the library in Node.js or in the Web browser? NodeJS If Node.js, which version of Node.js are you using? (Should be at least 14) 16 If Web browser, which web browser and which version of it are you using? N/A If using TypeScript, which version of TypeScript are you using? (Should be at least 4) 4.7.4

To Reproduce If you can, please provide a minimal code example that reproduces the bug.

I am an Amazon employee, using Amazon JWKS provides, so please DM me internally for a reproduction of my exact case. Otherwise, simply refer to the unit tests for the library, which cover this case explicitly.

ottokruse commented 2 years ago

Thanks for the message, we'll consider this and reach out to you.

A work around, might you be interested:

import { SimpleJwksCache } from "aws-jwt-verify/jwk";

class CustomJwksCache extends SimpleJwksCache {
    async getJwks(jwksUri: string) {
        return super.getJwks(jwksUri).then(jwks => {
            jwks.keys.forEach(jwk => jwk.use = "sig");
            return jwks;
        })
    }
}

const verifier = CognitoJwtVerifier.create({
    ...config
}, {
    jwksCache: new CustomJwksCache()
});
CaerusKaru commented 2 years ago

Way ahead of you on the workaround (works perfectly), but thanks for posting that here, in case someone else needs it. I would've posted mine, but again, internal stuff 😄

ottokruse commented 2 years ago

Can't locate you to DM you @CaerusKaru Please share your alias or ping me?

ottokruse commented 1 year ago

Status: agreed that we should make the check on the use field optional; only if the field is there, should we check its value is sig.

Asked @CaerusKaru if he'd be interested to create a PR for this