[BUG] Library forces presence of optional "use" field in JWKS key

Question

[BUG] Library forces presence of optional "use" field in JWKS key

CaerusKaru opened this issue 2 years ago · 4 comments

Describe the bug
If you have a JWKS with a key without the use field, the library will throw and error because it is missing. This violates the spec on this, which states that Use of the "use" member is OPTIONAL, unless the application requires its presence., which I believe means this should not be on the library side to enforce, and should be optional on the part of app owners.

Versions
Which version of aws-jwt-verify are you using? 3.1.0
Are you using the library in Node.js or in the Web browser? NodeJS
If Node.js, which version of Node.js are you using? (Should be at least 14) 16
If Web browser, which web browser and which version of it are you using? N/A
If using TypeScript, which version of TypeScript are you using? (Should be at least 4) 4.7.4

To Reproduce
If you can, please provide a minimal code example that reproduces the bug.

I am an Amazon employee, using Amazon JWKS provides, so please DM me internally for a reproduction of my exact case. Otherwise, simply refer to the unit tests for the library, which cover this case explicitly.

Answer 1 · 2022-09-12T08:38:41.000Z

Thanks for the message, we'll consider this and reach out to you.

A work around, might you be interested:

import { SimpleJwksCache } from "aws-jwt-verify/jwk";

class CustomJwksCache extends SimpleJwksCache {
    async getJwks(jwksUri: string) {
        return super.getJwks(jwksUri).then(jwks => {
            jwks.keys.forEach(jwk => jwk.use = "sig");
            return jwks;
        })
    }
}

const verifier = CognitoJwtVerifier.create({
    ...config
}, {
    jwksCache: new CustomJwksCache()
});

Answer 2 · 2022-09-12T08:40:12.000Z

Way ahead of you on the workaround (works perfectly), but thanks for posting that here, in case someone else needs it. I would've posted mine, but again, internal stuff 😄

Answer 3 · 2022-09-21T09:23:06.000Z

Can't locate you to DM you @CaerusKaru Please share your alias or ping me?

Answer 4 · 2022-10-12T07:55:24.000Z

Status: agreed that we should make the check on the use field optional; only if the field is there, should we check its value is sig.

Asked @CaerusKaru if he'd be interested to create a PR for this