Skip to content
This repository was archived by the owner on Oct 10, 2025. It is now read-only.

Conversation

@hf
Copy link
Contributor

@hf hf commented Jul 9, 2025

Because the /.well-known/jwks.json is heavily cached, a developer may rotate the standby key to in use faster than those caches expire. In that case the getClaims() method may receive a JWT signed with a key ID it doesn't recognize. Instead of failing with an error, it should reach out directly to the Auth server to verify the JWT.

@hf hf force-pushed the hf/fallback-to-get-user-if-key-not-found branch from 0d94405 to 3359275 Compare July 9, 2025 19:24
@hf hf force-pushed the hf/fallback-to-get-user-if-key-not-found branch from 3359275 to 361baf1 Compare July 9, 2025 19:30
@hf hf merged commit 9721f60 into master Jul 10, 2025
6 of 7 checks passed
@hf hf deleted the hf/fallback-to-get-user-if-key-not-found branch July 10, 2025 10:19
hf pushed a commit that referenced this pull request Jul 14, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.71.0](v2.70.0...v2.71.0)
(2025-07-10)


### Features

* fallback to `getUser()` if the `kid` of the JWT is not found
([#1080](#1080))
([9721f60](9721f60))
* introduce experimental split user and session storage
([#1023](#1023))
([e7b2f21](e7b2f21))
* make `getClaims()` non experimental, add global cache
([#1078](#1078))
([ffe13d7](ffe13d7))
* remove solana dependency by inlining types
([#1079](#1079))
([7665f94](7665f94))


### Bug Fixes

* handle null current session with split session storage
([#1071](#1071))
([bc6192a](bc6192a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mandarini pushed a commit to supabase/supabase-js that referenced this pull request Oct 2, 2025
🤖 I have created a release *beep* *boop*
---


##
[2.71.0](supabase/auth-js@v2.70.0...v2.71.0)
(2025-07-10)


### Features

* fallback to `getUser()` if the `kid` of the JWT is not found
([#1080](supabase/auth-js#1080))
([9867cd1](supabase/auth-js@9867cd1))
* introduce experimental split user and session storage
([#1023](supabase/auth-js#1023))
([b3ea493](supabase/auth-js@b3ea493))
* make `getClaims()` non experimental, add global cache
([#1078](supabase/auth-js#1078))
([ce77cbf](supabase/auth-js@ce77cbf))
* remove solana dependency by inlining types
([#1079](supabase/auth-js#1079))
([9824c9b](supabase/auth-js@9824c9b))


### Bug Fixes

* handle null current session with split session storage
([#1071](supabase/auth-js#1071))
([69aca6f](supabase/auth-js@69aca6f))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
grdsdev added a commit to supabase/supabase-flutter that referenced this pull request Oct 6, 2025
Updates getClaims() documentation and comments to clarify that the
method always uses server-side verification via getUser(). This approach
gracefully handles edge cases such as:

- Key rotation scenarios where JWKS cache might not have the new signing key
- Symmetric JWTs (HS256) that require server-side verification
- Revoked or invalidated tokens that are still unexpired

This aligns the implementation intent with the auth-js behavior where
getClaims() falls back to getUser() when the signing key is not found
in JWKS or when client-side verification is not available.

The Flutter implementation uses this server-side verification approach
for all JWT types, providing robust and consistent validation regardless
of the signing algorithm.

Related: supabase/auth-js#1080

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants