Skip unrecognized algorithms and keys in provider metadata

Previously, this crate would return a deserialization error if it encountered any unrecognized signature or encryption algorithms in the `ProviderMetadata` and `JsonWebKeySet`. This patch changes the behavior to instead ignore unexpected values, with the aim of improving compatibility with OIDC providers that support other algorithms but don't necessarily use them to sign JWTs. This change focuses on the signing/encryption enums since those are difficult to override via type parameters due to the interdependence between the key and algorithm traits/types.
ramosbugs · Jan 11, 2023 · 0db8ad1 · 0db8ad1
1 parent 424b44f
commit 0db8ad1
Show file tree

Hide file tree

Showing 5 changed files with 359 additions and 54 deletions.
diff --git a/Cargo-1.45.lock b/Cargo-1.45.lock
@@ -221,6 +221,41 @@ dependencies = [
  "winapi",
 ]
 
+[[package]]
+name = "darling"
+version = "0.13.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a01d95850c592940db9b8194bc39f4bc0e89dee5c4265e4b1807c34a9aba453c"
+dependencies = [
+ "darling_core",
+ "darling_macro",
+]
+
+[[package]]
+name = "darling_core"
+version = "0.13.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "859d65a907b6852c9361e3185c862aae7fafd2887876799fa55f5f99dc40d610"
+dependencies = [
+ "fnv",
+ "ident_case",
+ "proc-macro2",
+ "quote",
+ "strsim",
+ "syn",
+]
+
+[[package]]
+name = "darling_macro"
+version = "0.13.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9c972679f83bdf9c42bd905396b6c3588a843a17f0f16dfcfa3e2c5d57441835"
+dependencies = [
+ "darling_core",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "diff"
 version = "0.1.13"
@@ -520,6 +555,12 @@ dependencies = [
  "tokio-native-tls",
 ]
 
+[[package]]
+name = "ident_case"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b9e0384b61958566e926dc50660321d12159025e767c18e043daf26b70104c39"
+
 [[package]]
 name = "idna"
 version = "0.2.3"
@@ -774,7 +815,7 @@ checksum = "ac8b1a9b2518dc799a2271eff1688707eb315f0d4697aa6b0871369ca4c4da55"
 
 [[package]]
 name = "openidconnect"
-version = "2.4.1"
+version = "2.5.0"
 dependencies = [
  "anyhow",
  "base64",
@@ -797,6 +838,7 @@ dependencies = [
  "serde_json",
  "serde_path_to_error",
  "serde_plain",
+ "serde_with",
  "subtle",
  "thiserror",
  "url",
@@ -1079,6 +1121,12 @@ dependencies = [
  "webpki",
 ]
 
+[[package]]
+name = "rustversion"
+version = "1.0.11"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5583e89e108996506031660fe09baa5011b9dd0341b89029313006d1fb508d70"
+
 [[package]]
 name = "ryu"
 version = "1.0.10"
@@ -1199,6 +1247,29 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "serde_with"
+version = "1.13.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "b827f2113224f3f19a665136f006709194bdfdcb1fdc1e4b2b5cbac8e0cced54"
+dependencies = [
+ "rustversion",
+ "serde",
+ "serde_with_macros",
+]
+
+[[package]]
+name = "serde_with_macros"
+version = "1.5.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e182d6ec6f05393cc0e5ed1bf81ad6db3a8feedf8ee515ecdd369809bcce8082"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
 [[package]]
 name = "sha2"
 version = "0.10.2"
@@ -1233,6 +1304,12 @@ version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d"
 
+[[package]]
+name = "strsim"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "73473c0e59e6d5812c5dfe2a064a6444949f089e20eec9a2e5506596494e4623"
+
 [[package]]
 name = "subtle"
 version = "2.4.1"

diff --git a/Cargo.toml b/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "openidconnect"
-version = "2.4.1"
+version = "2.5.0"
 authors = ["David A. Ramos <[email protected]>"]
 description = "OpenID Connect library"
 license = "MIT"
@@ -44,6 +44,7 @@ serde_derive = "1.0"
 serde_json = "1.0"
 serde_path_to_error = "0.1"
 serde_plain = "1.0"
+serde_with = "1.13"
 serde-value = "0.7"
 url = { version = "2.1", features = ["serde"] }
 num-bigint = "0.4.3"

diff --git a/src/core/jwk.rs b/src/core/jwk.rs
@@ -550,6 +550,7 @@ serialize_as_str!(CoreJsonWebKeyUse);
 
 #[cfg(test)]
 mod tests {
+    use crate::core::CoreJsonWebKeySet;
     use ring::test::rand::FixedByteRandom;
 
     use crate::jwt::tests::{TEST_EC_PUB_KEY_P256, TEST_EC_PUB_KEY_P384, TEST_RSA_PUB_KEY};
@@ -1287,4 +1288,59 @@ mod tests {
 
         assert_ne!(sig1, sig2);
     }
+
+    // Tests that JsonWebKeySet ignores unsupported keys during deserialization so that clients can
+    // use providers that include unsupported keys as long as they only use supported ones to sign
+    // payloads.
+    #[test]
+    fn test_jwks_unsupported_key() {
+        let jwks_json = "{
+            \"keys\": [
+                {
+                    \"kty\": \"RSA\",
+                    \"use\": \"sig\",
+                    \"kid\": \"2011-04-29\",
+                    \"n\": \"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhD\
+                             R1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6C\
+                             f0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1\
+                             n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1\
+                             jF44-csFCur-kEgU8awapJzKnqDKgw\",
+                    \"e\": \"AQAB\"
+                },
+                {
+                    \"kty\": \"MAGIC\",
+                    \"use\": \"sig\",
+                    \"kid\": \"2040-01-01\",
+                    \"magic\": \"magic\"
+                },
+                {
+                    \"kty\": \"EC\",
+                    \"use\": \"sig\",
+                    \"kid\": \"2011-05-01\",
+                    \"crv\": \"P-256\",
+                    \"x\": \"kXCGZIr3oI6sKbnT6rRsIdxFXw3_VbLk_cveajgqXk8\",
+                    \"y\": \"StDvKIgXqAxJ6DuebREh-1vgvZRW3dfrOxSIKzBtRI0\"
+                }
+            ]
+        }";
+        let jwks = serde_json::from_str::<CoreJsonWebKeySet>(jwks_json)
+            .expect("deserialization should succeed");
+
+        assert_eq!(jwks.keys().len(), 2);
+
+        assert_eq!(jwks.keys()[0].kty, CoreJsonWebKeyType::RSA);
+        assert_eq!(jwks.keys()[0].use_, Some(CoreJsonWebKeyUse::Signature));
+        assert_eq!(
+            jwks.keys()[0].kid,
+            Some(JsonWebKeyId::new("2011-04-29".to_string()))
+        );
+
+        assert_eq!(jwks.keys()[1].kty, CoreJsonWebKeyType::EllipticCurve);
+        assert_eq!(jwks.keys()[1].use_, Some(CoreJsonWebKeyUse::Signature));
+        assert_eq!(
+            jwks.keys()[1].kid,
+            Some(JsonWebKeyId::new("2011-05-01".to_string()))
+        );
+        assert_eq!(jwks.keys()[1].crv, Some(CoreJsonCurveType::P256));
+    }
 }