attribute 64788fd and use new OIDC_JOSE_JWKS_KEYS_STR

Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Mar 7, 2024 · 2eef008 · 2eef008
1 parent 64788fd
commit 2eef008
Show file tree

Hide file tree

Showing 5 changed files with 8 additions and 9 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,5 +1,6 @@
 03/07/2024
 - OIDCProviderSignedJwksUri: accept verification key set formatted as either JWK or JWKS
+  see #1191; thanks @psteniusubi
 - properly handle parse errors in Require claim integer statements
 
 03/06/2024

diff --git a/src/handle/request_uri.c b/src/handle/request_uri.c
@@ -145,9 +145,9 @@ static apr_byte_t oidc_request_uri_encryption_jwk_by_type(request_rec *r, oidc_c
 		return FALSE;
 	}
 
-	json_t *keys = json_object_get(j_jwks, OIDC_JWK_KEYS);
+	json_t *keys = json_object_get(j_jwks, OIDC_JOSE_JWKS_KEYS_STR);
 	if ((keys == NULL) || !(json_is_array(keys))) {
-		oidc_error(r, "\"%s\" array element is not a JSON array", OIDC_JWK_KEYS);
+		oidc_error(r, "\"%s\" array element is not a JSON array", OIDC_JOSE_JWKS_KEYS_STR);
 		return FALSE;
 	}
 

diff --git a/src/metadata.c b/src/metadata.c
@@ -74,7 +74,7 @@ extern module AP_MODULE_DECLARE_DATA auth_openidc_module;
 #define OIDC_METADATA_CLIENT_SECRET "client_secret"
 #define OIDC_METADATA_CLIENT_SECRET_EXPIRES_AT "client_secret_expires_at"
 
-#define OIDC_METADATA_KEYS "keys"
+#define OIDC_METADATA_KEYS OIDC_JOSE_JWKS_KEYS_STR
 
 #define OIDC_METADATA_CLIENT_JWKS_URI "client_jwks_uri"
 #define OIDC_METADATA_ID_TOKEN_SIGNED_RESPONSE_ALG "id_token_signed_response_alg"
@@ -1104,13 +1104,13 @@ static void oidc_metadata_get_jwks(request_rec *r, json_t *json, apr_array_heade
 	oidc_jwk_t *jwk = NULL;
 	json_t *elem = NULL;
 
-	keys = json_object_get(json, OIDC_JWK_KEYS);
+	keys = json_object_get(json, OIDC_JOSE_JWKS_KEYS_STR);
 	if (keys == NULL)
 		return;
 
 	if (!json_is_array(keys)) {
 		oidc_error(r, "trying to parse a list of JWKs but the value for key \"%s\" is not a JSON array",
-			   OIDC_JWK_KEYS);
+				OIDC_JOSE_JWKS_KEYS_STR);
 		return;
 	}
 

diff --git a/src/mod_auth_openidc.h b/src/mod_auth_openidc.h
@@ -597,8 +597,6 @@ apr_byte_t oidc_oauth_get_bearer_token(request_rec *r, const char **access_token
 #define OIDC_CLAIM_SID "sid"
 #define OIDC_CLAIM_EVENTS "events"
 
-#define OIDC_JWK_KEYS "keys"
-
 #define OIDC_HOOK_INFO_FORMAT_JSON "json"
 #define OIDC_HOOK_INFO_FORMAT_HTML "html"
 #define OIDC_HOOK_INFO_TIMESTAMP "iat"

diff --git a/src/proto.c b/src/proto.c
@@ -789,9 +789,9 @@ static apr_byte_t oidc_proto_get_key_from_jwks(request_rec *r, oidc_jwt_t *jwt,
 	oidc_debug(r, "search for kid \"%s\" or thumbprint x5t \"%s\"", jwt->header.kid, x5t);
 
 	/* get the "keys" JSON array from the JWKs object */
-	json_t *keys = json_object_get(j_jwks, OIDC_JWK_KEYS);
+	json_t *keys = json_object_get(j_jwks, OIDC_JOSE_JWKS_KEYS_STR);
 	if ((keys == NULL) || !(json_is_array(keys))) {
-		oidc_error(r, "\"%s\" array element is not a JSON array", OIDC_JWK_KEYS);
+		oidc_error(r, "\"%s\" array element is not a JSON array", OIDC_JOSE_JWKS_KEYS_STR);
 		return FALSE;
 	}