the library doesn't check token signature

Question

the library doesn't check token signature

Opened this issue 4 years ago · 0 comments

I've just quickly read the code and found that there is no access token's signature verification.

https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L326

JWT.decode refresh_token, @public_key, false, { :algorithm => 'RS256' }

as you can see the third argument needs to be set as true to check the signature
https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L11-L31

here is a quick solution

public_key = "-----BEGIN PUBLIC KEY-----\n" +
 @public_key.scan(/.{1,64}/).join("\n") +
 "\n-----END PUBLIC KEY-----\n"

JWT.decode(token, OpenSSL::PKey::RSA.new(public_key), true, algorithm: 'RS256')

Hopefully, this would help someone
Cheers