[fix][broker] Support OIDC providers with JWK without alg field set i…

…n keys (apache#22421) (cherry picked from commit a1970ae) (cherry picked from commit 4a79a26)
datastax · Apr 19, 2024 · e4eb9f1 · e4eb9f1
1 parent 3bd3ce0
commit e4eb9f1
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/.../main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java b/.../main/java/org/apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenID.java
@@ -303,7 +303,8 @@ private CompletableFuture<DecodedJWT> authenticateToken(String token) {
         return verifyIssuerAndGetJwk(jwt)
                 .thenCompose(jwk -> {
                     try {
-                        if (!jwt.getAlgorithm().equals(jwk.getAlgorithm())) {
+                        // verify the algorithm, if it is set ("alg" is optional in the JWK spec)
+                        if (jwk.getAlgorithm() != null && !jwt.getAlgorithm().equals(jwk.getAlgorithm())) {
                             incrementFailureMetric(AuthenticationExceptionCode.ALGORITHM_MISMATCH);
                             return CompletableFuture.failedFuture(
                                     new AuthenticationException("JWK's alg [" + jwk.getAlgorithm()

diff --git a/...apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDIntegrationTest.java b/...apache/pulsar/broker/authentication/oidc/AuthenticationProviderOpenIDIntegrationTest.java
@@ -75,6 +75,7 @@ public class AuthenticationProviderOpenIDIntegrationTest {
     // These are the kid values for JWKs in the /keys endpoint
     String validJwk = "valid";
     String invalidJwk = "invalid";
+    String validJwkWithoutAlg = "valid_without_alg";
 
     // The valid issuer
     String issuer;
@@ -188,10 +189,16 @@ void beforeClass() throws IOException {
                                                 "kty":"RSA",
                                                 "n":"invalid-key",
                                                 "e":"AQAB"
+                                                },
+                                                {
+                                                "kid":"%s",
+                                                "kty":"RSA",
+                                                "n":"%s",
+                                                "e":"%s"
                                                 }
                                             ]
                                         }
-                                        """.formatted(validJwk, n, e, invalidJwk))));
+                                        """.formatted(validJwk, n, e, invalidJwk, validJwkWithoutAlg, n, e))));
 
         server.stubFor(
                 get(urlEqualTo("/missing-kid/.well-known/openid-configuration"))
@@ -274,6 +281,14 @@ public void testTokenWithValidJWK() throws Exception {
         assertEquals(role, provider.authenticateAsync(new AuthenticationDataCommand(token)).get());
     }
 
+    @Test
+    public void testTokenWithValidJWKWithoutAlg() throws Exception {
+        String role = "superuser";
+        // test with a key in JWK that does not have an "alg" field. "alg" is optional in the JWK spec
+        String token = generateToken(validJwkWithoutAlg, issuer, role, "allowed-audience", 0L, 0L, 10000L);
+        assertEquals(role, provider.authenticateAsync(new AuthenticationDataCommand(token)).get());
+    }
+
     @Test
     public void testTokenWithTrailingSlashAndValidJWK() throws Exception {
         String role = "superuser";