Closed jmickeyd closed 9 months ago
Hi @jmickeyd,
How does this affect the resulting keystore query? From a very cursory look at the keystore the non-relevant parts of the protected header don't affect the lookup...
I guess what I'm missing here is what the problem you're experiencing might be.
sigh because I'm stupid... This was a red herring. Sorry for the noise.
Describe the bug I am receiving an signed then encrypted id_token. Said token has a protected header of the form:
In https://github.com/panva/node-openid-client/blob/01cd89a14db20cb3aef3880f914c2d0e988b1533/lib/client.js#L723-L728, the full protected header from the JWE is directly used to query the fields in the jwks, but I don't think the JWE payload content type should affect key use.
To Reproduce Fully internal IdP, can't externally fully repro, but I think the above is clear.
Expected behaviour "cty" is removed from protectedHeader before being used to probe the key set.
Environment:
Additional context This crosses a ton of specs, OIDC, JWT/JWE, and JWKS. I tried to look for any specification on this, but came up empty handed. I very well could be wrong, but intuitively it feels like the payload content type should have no bearing on the key usage.
As a workaround I just set
"cty":"JWT"
in the jwk, which works fine.