feat: discover alg by jwks

wpjunior · wpjunior · commit 0674348d0622 · 2025-02-27T10:25:32.000-03:00
diff --git a/lib/resty/libjwt/init.lua b/lib/resty/libjwt/init.lua
@@ -58,7 +58,17 @@ function _M.validate(user_params)
         if jwks_item == nil then
             goto continue
         end
-        jwks_c.jwt_checker_setkey(checker, jwks_c.JWT_ALG_RS256, jwks_item);
+        local alg = jwks_c.jwks_item_alg(jwks_item);
+
+        if alg == jwks_c.JWT_ALG_NONE then
+            return nil, _M.response_error("No algorithm found on jwks", params.return_unauthorized_default)
+        end
+
+        if alg == jwks_c.JWT_ALG_INVAL then
+            return nil, _M.response_error("invalid algorithm found on jwks", params.return_unauthorized_default)
+        end
+
+        jwks_c.jwt_checker_setkey(checker, alg, jwks_item);
         local result = jwks_c.jwt_checker_verify(checker, token);
         if result == TOKEN_VALID then
             return parsed_token, ""
diff --git a/lib/resty/libjwt/jwks_c.lua b/lib/resty/libjwt/jwks_c.lua
@@ -25,18 +25,14 @@ typedef enum {
     JWT_ALG_INVAL,		/**< An invalid algorithm from the caller or the token */
 } jwt_alg_t;
 
-
-struct jwk_item {
-	jwt_alg_t alg;
-};
-
 typedef struct jwk_item jwk_item_t;
 
 int jwt_checker_setkey(jwt_checker_t *checker, const jwt_alg_t alg, const jwk_item_t *key);
 typedef struct jwk_set jwk_set_t;
 jwk_set_t *jwks_create(const char *jwk_json_str);
 const jwk_item_t *jwks_item_get(const jwk_set_t *jwk_set, size_t index);
 jwk_item_t *jwks_find_bykid(jwk_set_t *jwk_set, const char *kid);
+jwt_alg_t jwks_item_alg(const jwk_item_t *item);
 ]]
 
 local libjwt = ffi.load("libjwt");
