Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bugfix: 'kid' not in given key list #129

Merged
merged 2 commits into from
Jun 21, 2017
Merged

bugfix: 'kid' not in given key list #129

merged 2 commits into from
Jun 21, 2017

Conversation

stampycode
Copy link

if 'kid' value is not found in the given key map, should throw an exception.
Instead, it was outputting a php warning for using an undefined index, resulting in a null key.

@stampycode
bugfix: 'kid' not in given key list
491ab3a 
if 'kid' value is not found in the given key map, should throw an exception.
Instead, it was outputting a php warning for using an undefined index, resulting in a null key.
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please let us know the company's name.

1 similar comment
@googlebot
Copy link

Thanks for your pull request. It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

  • If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
  • If you signed the CLA as a corporation, please let us know the company's name.

@stampycode
Copy link
Author

I signed it!

@googlebot
Copy link

CLAs look good, thanks!

bshaffer
bshaffer reviewed Jan 18, 2017
View reviewed changes
src/JWT.php
@@ -98,6 +98,9 @@ public static function decode($jwt, $key, $allowed_algs = array())
}
if (is_array($key) || $key instanceof \ArrayAccess) {
if (isset($header->kid)) {
if(!isset($key[$header->kid])) {
throw new UnexpectedValueException('"kid" not found in key map, unable to lookup correct key');
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The kid not found in the map indicates an invalid kid, so a better error message would be simply Invalid "kid". Another option would be to set the value of $key to null here, so the OpenSSL unable to verify data error is thrown. I prefer the first option, however.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer to have a distinct exception here, as the kid not being present in the list can then be used to trigger the key list being re-downloaded from the source, and updating the locally cached key list. I have a suspicion the key-list download endpoint is deliberately slow to encourage developers the cache the list and update periodically...

bshaffer
bshaffer reviewed Jan 18, 2017
View reviewed changes
src/JWT.php
@@ -98,6 +98,9 @@ public static function decode($jwt, $key, $allowed_algs = array())
}
if (is_array($key) || $key instanceof \ArrayAccess) {
if (isset($header->kid)) {
if(!isset($key[$header->kid])) {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need a space after if

@rjbaker
Copy link

rjbaker commented Feb 24, 2017

Any chance this could be merged? When using this lib to validate tokens provided by Firebase Custom Authentication, public keys are cycled regularly. If a JWT is presented which specifies a kid no longer in the current list of public keys, the lib will throw an ErrorException rather than an UnexpectedValueException.

Thanks.

@bshaffer bshaffer merged commit 2261c1c into firebase:master Jun 21, 2017
@BVMiko BVMiko mentioned this pull request Aug 17, 2017
Merged
palminha
palminha reviewed Aug 21, 2018
View reviewed changes
Copy link

@palminha palminha left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this implementation is accordingly to the spec. Spec claims that kid should be optional https://tools.ietf.org/html/rfc7515#section-4.1.4

@stampycode
Copy link
Author

@palminha The kid field is optional for the JWT spec, but it is used in this implementation, so it is required here. Requiring a kid is an application-specific requirement. If the kid field is not populated then the JWT is valid according to the spec, but is missing the information required to complete the request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bshaffer bshaffer bshaffer left review comments

@palminha palminha palminha left review comments

@Nyholm Nyholm Nyholm approved these changes

Assignees
No one assigned
Labels
cla: yes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@stampycode @googlebot @rjbaker @bshaffer @Nyholm @palminha