feat: fallback to jwt secret if alg is HS256 and the kid is not recognized (#2072)

Some customers may be using JWTs signed with the JWT secret but they may
be advertising a `kid` claim for their own purposes. Auth should try to
reasonably accept those JWTs.

Author: hf

internal/api/auth.go

@@ -77,7 +77,15 @@ func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, e
 	token, err := p.ParseWithClaims(bearer, &AccessTokenClaims{}, func(token *jwt.Token) (interface{}, error) {
 		if kid, ok := token.Header["kid"]; ok {
 			if kidStr, ok := kid.(string); ok {
-				return conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				key, err := conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				if err != nil {
+					return nil, err
+				}
+				if key != nil {
+					return key, nil
+				}
+
+				// otherwise try to use fallback
 			}
 		}
 		if alg, ok := token.Header["alg"]; ok {
@@ -86,7 +94,8 @@ func (a *API) parseJWTClaims(bearer string, r *http.Request) (context.Context, e
 				return []byte(config.JWT.Secret), nil
 			}
 		}
-		return nil, fmt.Errorf("missing kid")
+
+		return nil, fmt.Errorf("unrecognized JWT kid %v for algorithm %v", token.Header["kid"], token.Header["alg"])
 	})
 	if err != nil {
 		return nil, apierrors.NewForbiddenError(apierrors.ErrorCodeBadJWT, "invalid JWT: unable to parse or verify signature, %v", err).WithInternalError(err)

internal/api/external.go

@@ -506,16 +506,26 @@ func (a *API) loadExternalState(ctx context.Context, r *http.Request) (context.C
 	_, err := p.ParseWithClaims(state, &claims, func(token *jwt.Token) (interface{}, error) {
 		if kid, ok := token.Header["kid"]; ok {
 			if kidStr, ok := kid.(string); ok {
-				return conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				key, err := conf.FindPublicKeyByKid(kidStr, &config.JWT)
+				if err != nil {
+					return nil, err
+				}
+
+				if key != nil {
+					return key, nil
+				}
+
+				// otherwise try to use fallback
 			}
 		}
 		if alg, ok := token.Header["alg"]; ok {
 			if alg == jwt.SigningMethodHS256.Name {
-				// preserve backward compatibility for cases where the kid is not set
+				// preserve backward compatibility for cases where the kid is not set or potentially invalid but the key can be decoded with the secret
 				return []byte(config.JWT.Secret), nil
 			}
 		}
-		return nil, fmt.Errorf("missing kid")
+
+		return nil, fmt.Errorf("unrecognized JWT kid %v for algorithm %v", token.Header["kid"], token.Header["alg"])
 	})
 	if err != nil {
 		return ctx, apierrors.NewBadRequestError(apierrors.ErrorCodeBadOAuthState, "OAuth callback with invalid state").WithInternalError(err)

internal/conf/jwk.go

@@ -168,5 +168,7 @@ func FindPublicKeyByKid(kid string, config *JWTConfiguration) (any, error) {
 	if kid == config.KeyID {
 		return []byte(config.Secret), nil
 	}
-	return nil, fmt.Errorf("invalid kid: %s", kid)
+
+	// don't return error, as a fallback key might be used
+	return nil, nil
 }

internal/conf/jwk_test.go

@@ -241,8 +241,7 @@ func TestJwtKeys(t *testing.T) {
 		}
 		got, err := FindPublicKeyByKid("abc", jwtConfig)
 		require.Nil(t, got)
-		require.Error(t, err)
-		require.Equal(t, "invalid kid: abc", err.Error())
+		require.Nil(t, err)
 	}
 
 	// FindPublicKeyByKid - GetSigningKey success