Commit d624c651d60c89fce8aa8081a425fc49cd7fa598

Parents: 0b19761fb3f33500435a3469a438294f80ee01a8

From: Moritz Poldrack <git@moritz.sh>
Date: Thu Jan 11 11:42:59 2024 +0700

fix panic when key validation is disabled

		

Stats

token.go +17/-7

Changeset

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
diff --git a/token.go b/token.go
index 130b9757192eef38a05e2a94b134d46e14672618..6aa9486348196d36f6baee58670bc733aaa743cc 100644
--- a/token.go
+++ b/token.go
@@ -8,6 +8,7 @@ 	"context"
 	"fmt"
 	"time"
 
+	"github.com/lestrrat-go/jwx/v2/jwk"
 	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/lestrrat-go/jwx/v2/jwt/openid"
 	"golang.org/x/oauth2"
@@ -55,9 +56,13 @@ 		cfg:    cfg,
 	}
 
 	token := fmt.Sprint(tok.Extra("id_token"))
-	keyset, err := cfg.jwtKeyCache.Get(context.Background(), cfg.cfg.JwksURI)
-	if err != nil {
-		return result
+	var keyset jwk.Set
+	var err error
+	if !cfg.options.has(OptionSkipTokenValidation) {
+		keyset, err = cfg.jwtKeyCache.Get(context.Background(), cfg.cfg.JwksURI)
+		if err != nil {
+			return result
+		}
 	}
 	idToken, err := jwt.Parse(
 		[]byte(token),
@@ -84,9 +89,14 @@ // Authorization header.
 func (cfg *Configuration) ParseJWT(token string) (*Token, error) {
 	result := &Token{}
 
-	keyset, err := cfg.jwtKeyCache.Get(context.Background(), cfg.cfg.JwksURI)
-	if err != nil {
-		return result, fmt.Errorf("failed to retrieve JWT keys: %w", err)
+	var keyset jwk.Set
+	var err error
+
+	if !cfg.options.has(OptionSkipTokenValidation) {
+		keyset, err = cfg.jwtKeyCache.Get(context.Background(), cfg.cfg.JwksURI)
+		if err != nil {
+			return result, fmt.Errorf("failed to retrieve JWT keys: %w", err)
+		}
 	}
 	idToken, err := jwt.Parse(
 		[]byte(token),
@@ -94,7 +104,7 @@ 		jwt.WithToken(openid.New()),
 		jwt.WithVerify(!cfg.options.has(OptionSkipTokenValidation)),
 		jwt.WithKeySet(keyset),
 	)
-	if err == nil {
+	if err != nil {
 		return result, fmt.Errorf("failed to parse JWT: %w", err)
 	}