Token avalid for another api audience gives misleading error message

[jkogler-cloudflight]

If you create an access token for a different API audience, or different tenant, then obviously the authorization should fail. However the error message is 401 "Malformed token". This is quite misleading, normally when a token is malformed, it is because you just gave a random string, or because you forgot to copy-paste a few characters.

The error comes from: https://github.com/dorinclisu/fastapi-auth0/blob/ae5256d06e8cd9bdc17c1138178be9612b24e7dc/src/fastapi_auth0/auth.py#L118-L140

The kid is different (because of different api audience), and therefore the rsa_key is empty, and a general JWTError is raised.

Is it possible to give a better error message. Maybe something like "Token not authorized" or "Token has wrong audience" would be better suited.

[dorinclisu]

The problem is not related to wrong audience, but more like wrong tenant. For sure it's possible to display an explicit message when rsa_key is empty instead of raising JWTError, but I'm not sure if this wouldn't cause a potential vulnerability, when an attacker could guess your kid by constructing tokens and checking the error message in a brute-force manner.

[dorinclisu]

Though I think it's unlikely kid is sensitive in itself, and a smart attacker could anyway figure out if the kid is wrong or not with a timing attack leveraging the different execution times of the branches.

[jkogler-cloudflight]

I know way too little about JWT and their security.

But I doubt that this infos (that the token is not valid for the audience/domain) is a security concern. An attacker could also just run the code locally and figure that out. In fact he could just call https://{domain}/.well-known/jwks.json and extract the correct kid. That key id is not a very secret info.

[dorinclisu]

Published in 0.3.0.