Merge pull request #659 from thibault-tiro/thibaultmh/proposed-fix-to…

…-decode-id-token-without-kid-in-alg-header Thibaultmh/proposed fix to decode id token without kid in alg header
lepture · Aug 29, 2024 · 74b71af · 74b71af
2 parents fdbb1cf + ad95e3f
commit 74b71af
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 3 deletions.
diff --git a/authlib/jose/rfc7517/key_set.py b/authlib/jose/rfc7517/key_set.py
@@ -23,6 +23,9 @@ def find_by_kid(self, kid):
         :return: Key instance
         :raise: ValueError
         """
+        # Proposed fix, feel free to do something else but the idea is that we take the only key of the set if no kid is specified
+        if kid is None and len(self.keys) == 1:
+            return self.keys[0]
         for k in self.keys:
             if k.kid == kid:
                 return k

diff --git a/tests/jose/test_jwt.py b/tests/jose/test_jwt.py
@@ -1,7 +1,7 @@
-import unittest
 import datetime
-from authlib.jose import errors
-from authlib.jose import JsonWebToken, JWTClaims, jwt
+import unittest
+
+from authlib.jose import JsonWebKey, JsonWebToken, JWTClaims, errors, jwt
 from authlib.jose.errors import UnsupportedAlgorithmError
 from tests.util import read_file_path
 
@@ -261,6 +261,20 @@ def test_use_jwks_single_kid(self):
         claims = jwt.decode(data, pub_key)
         self.assertEqual(claims['name'], 'hi')
 
+    # Added a unit test to showcase my problem. 
+    # This calls jwt.decode similarly as is done in parse_id_token method of the AsyncOpenIDMixin class when the id token does not contain a kid in the alg header.
+    def test_use_jwks_single_kid_keyset(self):
+        """Thest that jwks can be decoded if a kid for decoding is given
+        and encoded data has no kid and a keyset with one key."""
+        header = {'alg': 'RS256'}
+        payload = {'name': 'hi'}
+        private_key = read_file_path('jwks_single_private.json')
+        pub_key = read_file_path('jwks_single_public.json')
+        data = jwt.encode(header, payload, private_key)
+        self.assertEqual(data.count(b'.'), 2)
+        claims = jwt.decode(data, JsonWebKey.import_key_set(pub_key))
+        self.assertEqual(claims['name'], 'hi')
+
     def test_with_ec(self):
         payload = {'name': 'hi'}
         private_key = read_file_path('secp521r1-private.json')