authentication icon indicating copy to clipboard operation
authentication copied to clipboard
verified publisher icon cakephp

JWT Authentication with JWKS does not pass the Algorithm on

Open Tyqo opened this issue 1 year ago • 1 comments

Description

So in the JwtAuthenticator on line 154 the key-set is getting decoded with out the option of setting the algorithm. It uses Firebase\JWT\JWK which assumes that if no algorithm is passed that no algorithm will be used for decoding. After editing the line as followed, everything worked:

$keySet = JWK::parseKeySet($jsonWebKeySet, $this->getConfig('algorithm'));

CakePHP Version

5.0.9

PHP Version

8.1

Tyqo avatar Jul 09 '24 10:07 Tyqo

It uses Firebase\JWT\JWK which assumes that if no algorithm is passed that no algorithm will be used for decoding.

I don't think that's accurate. The 2nd argument of JWK::parseKeySet() is the defult algo, which is used when a key in the keyset doesn't not specify an algo. If both are unset then an exception is thrown https://github.com/firebase/php-jwt/blob/76808fa227f3811aa5cdb3bf81233714b799a5b5/src/JWK.php#L106-L107.

ADmad avatar Oct 18 '24 12:10 ADmad