Skip to content

Ignoring invalid keys in a JWKS does not work #862

New issue
New issue
Closed as not planned
Closed as not planned
Ignoring invalid keys in a JWKS does not work#862
Labels
staleIssues without activity for more than 60 days
@timw6n

Description

@timw6n
timw6n
opened on Mar 1, 2023

Summary.

Expected Result

A JWKS that contains two keys, one with a supported curve, one unsupported, should result in the valid key being output.

That is the clear intention of the code here in __init__ of PyJWKSet:

        for key in keys:
            try:
                self.keys.append(PyJWK(key))
            except PyJWKError:
                # skip unusable keys
                continue

Actual Result

An jwt.exceptions.InvalidKeyError is thrown to the top level.

I think the issue is that it is PyJWKError that is being caught but that InvalidKeyError extends PyJWTError. I don't know the codebase at all really, but suspect catching the broader exception would resolve the issue.

Reproduction Steps

We saw this with a JWKS containing a key with crv "X25519".

System Information

{
  "cryptography": {
    "version": "38.0.4"
  },
  "implementation": {
    "name": "CPython",
    "version": "3.10.6"
  },
  "platform": {
    "release": "6.0.0-1011-oem",
    "system": "Linux"
  },
  "pyjwt": {
    "version": "2.6.0"
  }
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    staleIssues without activity for more than 60 days

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions