Add "algorithm mismatch" error to improve jws · Pull Request #304 · mpdavis/python-jose · GitHub
Skip to content

Add "algorithm mismatch" error to improve jws#304

Open
ghost wants to merge 3 commits into
mpdavis:masterfrom
sweeneytr:master
Open

Add "algorithm mismatch" error to improve jws#304
ghost wants to merge 3 commits into
mpdavis:masterfrom
sweeneytr:master

Conversation

@ghost

@ghost ghost commented Nov 7, 2022

Copy link
Copy Markdown

Upstream libraries that depend on jws.verify() break when the upstream keys contain a mixed set of algorithms. This is a nominal occurance for OIDC servers and should be properly handled.

Upstream libraries that depend on `jws.verify()` break when the
upstream keys contain a mixed set of algorithms. This is a nominal
occurance for OIDC servers and should be properly handled.
@codecov

codecov Bot commented Nov 8, 2022

Copy link
Copy Markdown

@ghost

ghost commented Nov 8, 2022

Copy link
Copy Markdown
Author

As mentioned in the issue, this implements step 2 of Appendix D of the JWS spec

  1. Filter the set of collected keys. For instance, some
    applications will use only keys referenced by "kid" (key ID) or
    "x5t" (X.509 certificate SHA-1 thumbprint) parameters. If the
    application uses the JWK "alg" (algorithm), "use" (public key
    use), or "key_ops" (key operations) parameters, keys with
    inappropriate values of those parameters would be excluded.
    Additionally, keys might be filtered to include or exclude keys
    with certain other member values in an application-specific
    manner. For some applications, no filtering will be applied.

@dimaqq

dimaqq commented Jun 27, 2023

Copy link
Copy Markdown

@mpdavis given that the original PR author account is deleted, maybe it's time to make a call: either take this PR over, maybe add more tests and merge it, or close it if it's incomplete?

My 2c: this PR is a good start.

@berislavlopac

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants