Add separate exception class for PyJWKClient kid errors
james-mchugh opened this issue · 7 comments
Thank you for this project. It has been very helpful for our team integrating authentication into our existing API.
When a kid is passed to the PyJWKClient.get_signing_key method that is not in the JWK set (or is set to None, in the case that it came from PyJWKClient.get_signing_key_from_jwt and the JWT did not include a KID), a PyJWKClientError is raised. This is the same error raised if an issue is detected during client initialization or failed requests to the jkws_uri, but it will likely want to be handled differently by developers. When building an API, client initialization errors or failed requests to the jwks_uri should likely result in 500 responses or immediate failures when starting the server, whereas an error due to the JWT not having a valid KID would likely be related to token validation and should therefore result in a 401 response.
If you think this request is a worthy change, I would be up for submitting a PR
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
This is still relevant
I would like to see the draft implemetation
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days
The exception being raised includes the explicit text 'Unable to find a signing key that matches: "{kid}"'. As it happens in many Python modules, it is sometimes the exception description which is used to disambiguate the underlaying cause of error.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 7 days