Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT Authentication with JWKS does not pass the Algorithm on #667

Open
Tyqo opened this issue Jul 9, 2024 · 1 comment
Open

JWT Authentication with JWKS does not pass the Algorithm on #667

Tyqo opened this issue Jul 9, 2024 · 1 comment
Labels
bug need-more-info

Comments

@Tyqo
Copy link

Tyqo commented Jul 9, 2024

Description

So in the JwtAuthenticator on line 154 the key-set is getting decoded with out the option of setting the algorithm.
It uses Firebase\JWT\JWK which assumes that if no algorithm is passed that no algorithm will be used for decoding.
After editing the line as followed, everything worked:

$keySet = JWK::parseKeySet($jsonWebKeySet, $this->getConfig('algorithm'));

CakePHP Version

5.0.9

PHP Version

8.1
@markstory markstory transferred this issue from cakephp/cakephp Jul 9, 2024
@markstory markstory added the bug label Jul 9, 2024
@ADmad
Copy link
Member

ADmad commented Oct 18, 2024

It uses Firebase\JWT\JWK which assumes that if no algorithm is passed that no algorithm will be used for decoding.

I don't think that's accurate. The 2nd argument of JWK::parseKeySet() is the defult algo, which is used when a key in the keyset doesn't not specify an algo. If both are unset then an exception is thrown https://github.com/firebase/php-jwt/blob/76808fa227f3811aa5cdb3bf81233714b799a5b5/src/JWK.php#L106-L107.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug need-more-info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@markstory @ADmad @Tyqo