feat: fallback to jwt secret if alg is HS256 and the kid is not recognized (#2072)

hf · web-flow · commit 8fa99bd6cab9 · 2025-07-03T12:02:46.000+02:00
Some customers may be using JWTs signed with the JWT secret but they may
be advertising a `kid` claim for their own purposes. Auth should try to
reasonably accept those JWTs.
diff --git a/internal/api/auth.go b/internal/api/auth.go
@@ -77,7 +77,15 @@ func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, e
 	token, err := p.ParseWithClaims(bearer, &AccessTokenClaims{}, func(token *jwt.Token) (interface{}, error) {
 		if kid, ok := token.Header["kid"]; ok {
 			if kidStr, ok := kid.(string); ok {
-				return conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				key, err := conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				if err != nil {
+					return nil, err
+				}
+				if key != nil {
+					return key, nil
+				}
+
+				// otherwise try to use fallback
 			}
 		}
 		if alg, ok := token.Header["alg"]; ok {
@@ -86,7 +94,8 @@ func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, e
 				return []byte(config.JWT.Secret), nil
 			}
 		}
-		return nil, fmt.Errorf("missing kid")
+
+		return nil, fmt.Errorf("unrecognized JWT kid %v for algorithm %v", token.Header["kid"], token.Header["alg"])
 	})
 	if err != nil {
 		return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeBadJWT, "invalid JWT: unable to parse or verify signature, %v", err).WithInternalError(err)
diff --git a/internal/api/external.go b/internal/api/external.go
@@ -506,16 +506,26 @@ func (a *API) loadExternalState(ctx context.Context, r *http.Request) (context.C
 	_, err := p.ParseWithClaims(state, &claims, func(token *jwt.Token) (interface{}, error) {
 		if kid, ok := token.Header["kid"]; ok {
 			if kidStr, ok := kid.(string); ok {
-				return conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				key, err := conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				if err != nil {
+					return nil, err
+				}
+
+				if key != nil {
+					return key, nil
+				}
+
+				// otherwise try to use fallback
 			}
 		}
 		if alg, ok := token.Header["alg"]; ok {
 			if alg == jwt.SigningMethodHS256.Name {
-				// preserve backward compatibility for cases where the kid is not set
+				// preserve backward compatibility for cases where the kid is not set or potentially invalid but the key can be decoded with the secret
 				return []byte(config.JWT.Secret), nil
 			}
 		}
-		return nil, fmt.Errorf("missing kid")
+
+		return nil, fmt.Errorf("unrecognized JWT kid %v for algorithm %v", token.Header["kid"], token.Header["alg"])
 	})
 	if err != nil {
 		return ctx, apierrors.NewBadRequestError(apierrors.ErrorCodeBadOAuthState, "OAuth callback with invalid state").WithInternalError(err)
diff --git a/internal/conf/jwk.go b/internal/conf/jwk.go
@@ -168,5 +168,7 @@ func FindPublicKeyByKid(kid string, config *JWTConfiguration) (any, error) {
 	if kid == config.KeyID {
 		return []byte(config.Secret), nil
 	}
-	return nil, fmt.Errorf("invalid kid: %s", kid)
+
+	// don't return error, as a fallback key might be used
+	return nil, nil
 }
diff --git a/internal/conf/jwk_test.go b/internal/conf/jwk_test.go
@@ -241,8 +241,7 @@ func TestJwtKeys(t *testing.T) {
 		}
 		got, err := FindPublicKeyByKid("abc", jwtConfig)
 		require.Nil(t, got)
-		require.Error(t, err)
-		require.Equal(t, "invalid kid: abc", err.Error())
+		require.Nil(t, err)
 	}
 
 	// FindPublicKeyByKid - GetSigningKey success

Original file line number	Diff line number	Diff line change
`@@ -168,5 +168,7 @@ func FindPublicKeyByKid(kid string, config *JWTConfiguration) (any, error) {`
`168`	`168`	`if kid == config.KeyID {`
`169`	`169`	`return []byte(config.Secret), nil`
`170`	`170`	`}`
`171`		`- return nil, fmt.Errorf("invalid kid: %s", kid)`
	`171`	`+`
	`172`	`+ // don't return error, as a fallback key might be used`
	`173`	`+ return nil, nil`
`172`	`174`	`}`
Original file line number	Diff line number	Diff line change
`@@ -241,8 +241,7 @@ func TestJwtKeys(t *testing.T) {`
`241`	`241`	`}`
`242`	`242`	`got, err := FindPublicKeyByKid("abc", jwtConfig)`
`243`	`243`	`require.Nil(t, got)`
`244`		`- require.Error(t, err)`
`245`		`- require.Equal(t, "invalid kid: abc", err.Error())`
	`244`	`+ require.Nil(t, err)`
`246`	`245`	`}`
`247`	`246`
`248`	`247`	`// FindPublicKeyByKid - GetSigningKey success`