added eager alg error check to minimize misuse

2026-05-19 14:21:28 -04:00 · 2026-05-02 23:20:32 +03:00
parent db88253aac
commit d153553d52
2 changed files with 8 additions and 2 deletions
--- a/tools/auth/internal/jwk/jwk.go
+++ b/tools/auth/internal/jwk/jwk.go
@@ -114,12 +114,12 @@ func Fetch(ctx context.Context, jwksURL string, kid string) (*JWK, error) {
 	}

 	for _, key := range jwks.Keys {
-		if key.Kid == kid {
+		if key.Kid == kid && key.Alg != "" {
 			return key, nil
 		}
 	}

-	return nil, fmt.Errorf("JWK with kid %q was not found", kid)
+	return nil, fmt.Errorf("missing JWK with kid %q and non-empty alg", kid)
 }

 // ValidateTokenSignature validates the signature of a token with the
--- a/tools/auth/internal/jwk/jwk_test.go
+++ b/tools/auth/internal/jwk/jwk_test.go
@@ -168,6 +168,12 @@ func TestFetch(t *testing.T) {
 			true,
 			nil,
 		},
+		{
+			"matching kid (no alg)",
+			"abc",
+			true,
+			nil,
+		},
 		{
 			"matching kid",
 			"def",