Incorrectly using alg instead of kty to parse a public key from a JWK

Question

Incorrectly using alg instead of kty to parse a public key from a JWK

robotdan opened this issue 4 years ago · 0 comments

One of our fantastic users pointed out to us:

I am using the fusionauth-jwt Java library (3.5.0) for a project and have run into an issue with the JSONWebKeyParser. It appears that the parse method of that class, which takes a JSONWebKey object and returns a PublicKey object is relying on the presence of the ‘alg’ parameter of the key. However, this parameter is an optional parameter according to the spec (https://tools.ietf.org/html/rfc7517). I believe that the code for this class could be rewritten to rely on the ‘kty’ parameter instead, which is a required parameter of a key.

This looks to be correct, and we should be using the kty parameter to extract the public components from the JWK.