Incorrect handling of "Unsupported key type.." exception by JWKSet.parse(final JSONObject json) method
The problem caused by the code fragment shown below. The JWK.parse method called there throws exception when it encounters unsupported key type. The JWKSet code instead of ignoring this key throws exception interrupting parsing of keys. This behavior is incorrect at least in context of parsing response to OIDC JWK Set endpoint as clients are not required supporting all keys supported by server.
try {
keys.add(JWK.parse(keyJSON));
} catch (ParseException e) {
throw new ParseException("Invalid JWK at position " + i + ": " + e.getMessage(), 0);
}
Comments (6)
-
-
I got the exception trying to authenticate with OpenID certification site. It looks like they have more key types than you support. Now we cannot claim that we are certified with OpenID. Anyway, to be compliant with OIDC standard you shall allow keys you don’t support in the JWK Set. You just need to ignore them.
-
That’s correct, here is the spec section:
https://tools.ietf.org/html/rfc7517#section-5
Implementations SHOULD ignore JWKs within a JWK Set that use "kty" (key type) values that are not understood by them, that are missing required members, or for which values are out of the supported ranges.
This is probably the new “Java-based cert suite”, the previous one didn’t have this test.
-
Fixed for v9.x: a36cb33
-
- changed status to resolved
Fixed for v8.x: ef8d086
Check out the new releases 9.0.1 and 8.20.1
-
Thanks Vladimir. Just a minor suggestion. It’s probably better to throw a subclass of ParseException then rely on message text.
- Log in to comment
Thanks for catching this. The library supports all known standard key types (kty), but people could theoretically define custom types.