lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.55k stars 452 forks source link

RFC7523: `PrivateKeyJWT` and `ClientSecretJWT` headers ignored #551

Closed dhallam closed 1 year ago

dhallam commented 1 year ago

Describe the bug

This is in relation to RFC7523 and the PrivateKeyJWT and ClientSecretJWT classes' sign method. Each class can be initialised with a headers dictionary. In ClientSecretJWT, the self.headers is passed to client_secret_jwt_sign as a kwparam called headers. PrivateKeyJWT doesn't actually pass the headers through to private_key_jwt_sign at all, but should (that's the first problem). This allows people to set things like the kid on the JWT header.

The second problem is that the sign_jwt_bearer_assertion expects a kwarg called header and not headers. At the moment, the headers from ClientSecretJWT.sign() appear to be ignored.

In summary, two issues:

I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.

Error Stacks

None

Expected behaviour

I would expect the headers to be passed through and included in the JWT.

Environment:

Additional context

This is being used to implement a flask application that used OIDC Connect with private_key_jwt.

dhallam commented 1 year ago

Duplicate of #515