Closed jdreichmann closed 10 months ago
FYI there may be a fix to this coming up in jsonwebtoken
as per https://github.com/Keats/jsonwebtoken/issues/252#issuecomment-1607011726. Hopefully 🤞 that comes in soon and then this library can make use of it.
For posterity, I ran into this when using Keycloak. Disabling RSA-OAEP in the realm per this comment helped unblock me: https://github.com/Keats/jsonwebtoken/issues/252#issuecomment-1606252537
I also had this problem with Keycloak 20 with default settings. When disabling RSA-OAEP in the realm, it did not seem to update the JWKS endpoint, and i did not find a way to force the endpoint to rebuild it's answer.
jwt-authorizer fails with a
AuthErrors::JwksRefreshError: error decoding response body: unknown variant 'RSA-OAEP'
when the JWKS URL contains a key wherealg
isRSA-OAEP
.It seems that https://github.com/cduvray/jwt-authorizer/blob/main/jwt-authorizer/src/jwks/key_store_manager.rs#L182 attempts to ignore a JWK if it's not decodable, but if a serialized JWK is unable to be cast into a JWK in https://github.com/cduvray/jwt-authorizer/blob/main/jwt-authorizer/src/jwks/key_store_manager.rs#L172 (which is the case if it's algorithm is not in https://github.com/Keats/jsonwebtoken/blob/master/src/algorithms.rs#L16), the entire method returns the AuthError.