Merge pull request #55 from olifre/remove-kid-requirement2

djw8605 · web-flow · commit 79ea3771731b · 2022-01-04T11:34:01.000-07:00
Allow empty Key-ID / kid if only a single key is published
diff --git a/src/scitokens_internal.cpp b/src/scitokens_internal.cpp
@@ -172,18 +172,26 @@ picojson::value::object find_key_id(const picojson::value json, const std::strin
         throw JsonException("Metadata resource is missing 'keys' array value");
     }
     auto keys_array = iter->second.get<picojson::array>();
-    for (auto &key : keys_array) {
-        if (!key.is<picojson::object>()) {continue;}
+    if (kid.empty()) {
+        if (keys_array.size() != 1) {
+            throw JsonException("Key ID empty but multiple keys published.");
+        }
+        auto &key = keys_array.at(0);
+        return key.get<picojson::object>();
+    } else {
+        for (auto &key : keys_array) {
+            if (!key.is<picojson::object>()) {continue;}
 
-        auto key_obj = key.get<picojson::object>();
-        iter = key_obj.find("kid");
-        if (iter == key_obj.end() || (!iter->second.is<std::string>())) {continue;}
+            auto key_obj = key.get<picojson::object>();
+            iter = key_obj.find("kid");
+            if (iter == key_obj.end() || (!iter->second.is<std::string>())) {continue;}
 
-        std::string cur_kid = iter->second.get<std::string>();
+            std::string cur_kid = iter->second.get<std::string>();
 
-        if (cur_kid == kid) {return key_obj;}
+            if (cur_kid == kid) {return key_obj;}
+        }
+        throw JsonException("Key ID is not published by the issuer.");
     }
-    throw JsonException("Key ID is not published by the issuer.");
 }
 
 
diff --git a/src/scitokens_internal.h b/src/scitokens_internal.h
@@ -270,9 +270,6 @@ class Validator {
         if (!jwt.has_payload_claim("iss")) {
             throw jwt::token_verification_exception("'iss' claim is mandatory");
         }
-        if (!jwt.has_header_claim("kid")) {
-            throw jwt::token_verification_exception("'kid' claim is mandatory");
-        }
         if (!m_allowed_issuers.empty()) {
             std::string issuer = jwt.get_issuer();
             bool permitted = false;
@@ -297,9 +294,17 @@ class Validator {
 
         std::string public_pem;
         std::string algorithm;
-        get_public_key_pem(jwt.get_issuer(), jwt.get_key_id(), public_pem, algorithm);
+        // Key id is optional in the RFC, set to blank if it doesn't exist
+        std::string key_id;
+        try {
+            key_id = jwt.get_key_id();
+        } catch (const std::runtime_error&) {
+            // Don't do anything, key_id is empty, as it should be.
+        }
+
+        get_public_key_pem(jwt.get_issuer(), key_id, public_pem, algorithm);
         // std::cout << "Public PEM: " << public_pem << std::endl << "Algorithm: " << algorithm << std::endl;
-        SciTokenKey key(jwt.get_key_id(), algorithm, public_pem, "");
+        SciTokenKey key(key_id, algorithm, public_pem, "");
         auto verifier = jwt::verify()
             .allow_algorithm(key);
 
