- changed status to resolved
algorithm constraint issue with JwtConsumer and some key resolvers
The JwtConsumer sets the algorithm constraints on the JWS/JWE after calling the key resolver. Some/many key resolvers, like HttpsJwksVerificationKeyResolver and JwksVerificationKeyResolver, use VerificationJwkSelector/SelectorSupport which calls getAlgorithm() on the JWS/JWE. The getAlgorithm() does the algorithm constraints, which can throw an exception.
This shows up as a problem when using JwtConsumer and you want to allow the "none" algorithm for JWS. "none" is restricted by default and the algorithm constraints from the JwtConsumer/JwtConsumerBuilder won't have been set on the JWS to override that default by the time the getAlgorithm() is called by the key resolver and an exception saying "none" is blacklisted is thrown.
Note that with HttpsJwksVerificationKeyResolver and JwksVerificationKeyResolver that scenario would still throw an exception because no key is found. A little more work (like wrapping the resolver in a simple delegeate) is needed to make it work. But the algorithm constraints error is very confusing because it happens even when you use the API to explicitly say that there are no constraints.
Comments (1)
-
reporter - Log in to comment
c2d9b8c "fix for Issue
#84'algorithm constraint issue with JwtConsumer and some key resolvers' by adding a getAlgorithmNoConstraintCheck() to JWE/JWS and using that in the key selection. Also moving the setting of constraints to before key resolving in JwtConsumer. So kinda fixing it twice but both seemed useful."