Skip to content

feat: fallback to jwt secret if alg is HS256 and the kid is not recognized #2072

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
hf merged 1 commit into from
Jul 3, 2025
Merged

feat: fallback to jwt secret if alg is HS256 and the kid is not recognized #2072

hf merged 1 commit into from
Jul 3, 2025

Conversation

@hf
Copy link
Contributor

@hf hf commented Jul 2, 2025

Some customers may be using JWTs signed with the JWT secret but they may be advertising a kid claim for their own purposes. Auth should try to reasonably accept those JWTs.

@hf hf requested a review from a team as a code owner July 2, 2025 13:18
@hf hf force-pushed the hf/fallback-to-jwt-secret-if-unknown-kid branch from e88510b to 8857fd2 Compare July 2, 2025 13:21
@hf hf force-pushed the hf/fallback-to-jwt-secret-if-unknown-kid branch from 8857fd2 to 9d398e7 Compare July 2, 2025 13:42
@coveralls
Copy link

coveralls commented Jul 2, 2025

Pull Request Test Coverage Report for Build 16026805300

Details

  • 7 of 18 (38.89%) changed or added relevant lines in 3 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.03%) to 70.068%
Changes Missing Coverage Covered Lines Changed/Added Lines %
internal/api/auth.go 5 8 62.5%
internal/api/external.go 1 9 11.11%
Totals Coverage Status
Change from base Build 16026448835: -0.03%
Covered Lines: 11426
Relevant Lines: 16307
💛 - Coveralls

cstockton
cstockton approved these changes Jul 2, 2025
View reviewed changes
Copy link
Contributor

@cstockton cstockton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@hf hf merged commit 8fa99bd into master Jul 3, 2025
6 checks passed
@hf hf deleted the hf/fallback-to-jwt-secret-if-unknown-kid branch July 3, 2025 10:02
@github-actions github-actions bot mentioned this pull request Jul 3, 2025
Merged
hf pushed a commit that referenced this pull request Jul 8, 2025
@github-actions
chore(master): release 2.177.0 (#2059)
48aa34c 
🤖 I have created a release *beep* *boop*
---


##
[2.177.0](v2.176.1...v2.177.0)
(2025-07-05)


### Features

* add option to disable writing to `audit_log_entries`
([#2073](#2073))
([80758dd](80758dd))
* add snapchat provider
([#2071](#2071))
([fca8ea4](fca8ea4))
* enhance login analytics
([#2078](#2078))
([1aed4a2](1aed4a2))
* fallback to jwt secret if alg is `HS256` and the `kid` is not
recognized ([#2072](#2072))
([8fa99bd](8fa99bd))
* ignore `aud` claim from admin jwt (`service_role` never had one)
([#2070](#2070))
([57eddcb](57eddcb))


### Bug Fixes

* add missing provider info to signedup audit logs
([#2061](#2061))
([c6e0cbe](c6e0cbe))
* **auditlog:** keep writing to logs even postgres is disabled
([#2076](#2076))
([b89bc32](b89bc32))
* do not log fatal when http server successfully closes
([#2065](#2065))
([1f7de6c](1f7de6c))
* invites should send another email when user exists
([#2058](#2058))
([96469bd](96469bd))
* use `appleid.apple.com` as default issuer
([#2068](#2068))
([963a781](963a781))
* use `split_words` config option for `AuditLog`
([#2075](#2075))
([7ecb234](7ecb234))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
@hf @cemalkilic
feat: fallback to jwt secret if alg is HS256 and the kid is not r…
c5ee128 
…ecognized (#2072)

Some customers may be using JWTs signed with the JWT secret but they may
be advertising a `kid` claim for their own purposes. Auth should try to
reasonably accept those JWTs.
cemalkilic pushed a commit that referenced this pull request Aug 7, 2025
@github-actions @cemalkilic
chore(master): release 2.177.0 (#2059)
464a8ec 
🤖 I have created a release *beep* *boop*
---


##
[2.177.0](v2.176.1...v2.177.0)
(2025-07-05)


### Features

* add option to disable writing to `audit_log_entries`
([#2073](#2073))
([80758dd](80758dd))
* add snapchat provider
([#2071](#2071))
([fca8ea4](fca8ea4))
* enhance login analytics
([#2078](#2078))
([1aed4a2](1aed4a2))
* fallback to jwt secret if alg is `HS256` and the `kid` is not
recognized ([#2072](#2072))
([8fa99bd](8fa99bd))
* ignore `aud` claim from admin jwt (`service_role` never had one)
([#2070](#2070))
([57eddcb](57eddcb))


### Bug Fixes

* add missing provider info to signedup audit logs
([#2061](#2061))
([c6e0cbe](c6e0cbe))
* **auditlog:** keep writing to logs even postgres is disabled
([#2076](#2076))
([b89bc32](b89bc32))
* do not log fatal when http server successfully closes
([#2065](#2065))
([1f7de6c](1f7de6c))
* invites should send another email when user exists
([#2058](#2058))
([96469bd](96469bd))
* use `appleid.apple.com` as default issuer
([#2068](#2068))
([963a781](963a781))
* use `split_words` config option for `AuditLog`
([#2075](#2075))
([7ecb234](7ecb234))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@hf @issuedat
feat: fallback to jwt secret if alg is HS256 and the kid is not r…
9c4f497 
…ecognized (#2072)

Some customers may be using JWTs signed with the JWT secret but they may
be advertising a `kid` claim for their own purposes. Auth should try to
reasonably accept those JWTs.
issuedat pushed a commit that referenced this pull request Sep 30, 2025
@github-actions @issuedat
chore(master): release 2.177.0 (#2059)
0821560 
🤖 I have created a release *beep* *boop*
---


##
[2.177.0](v2.176.1...v2.177.0)
(2025-07-05)


### Features

* add option to disable writing to `audit_log_entries`
([#2073](#2073))
([80758dd](80758dd))
* add snapchat provider
([#2071](#2071))
([fca8ea4](fca8ea4))
* enhance login analytics
([#2078](#2078))
([1aed4a2](1aed4a2))
* fallback to jwt secret if alg is `HS256` and the `kid` is not
recognized ([#2072](#2072))
([8fa99bd](8fa99bd))
* ignore `aud` claim from admin jwt (`service_role` never had one)
([#2070](#2070))
([57eddcb](57eddcb))


### Bug Fixes

* add missing provider info to signedup audit logs
([#2061](#2061))
([c6e0cbe](c6e0cbe))
* **auditlog:** keep writing to logs even postgres is disabled
([#2076](#2076))
([b89bc32](b89bc32))
* do not log fatal when http server successfully closes
([#2065](#2065))
([1f7de6c](1f7de6c))
* invites should send another email when user exists
([#2058](#2058))
([96469bd](96469bd))
* use `appleid.apple.com` as default issuer
([#2068](#2068))
([963a781](963a781))
* use `split_words` config option for `AuditLog`
([#2075](#2075))
([7ecb234](7ecb234))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cstockton cstockton cstockton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@hf @coveralls @cstockton