fix: improve JWS and key verification (#128)

* fix: improve JWS and key verification * fix: get remote keys if no cached key matches * fix: get remote keys if no cached key matches * fix exactMatch * fix exactMatch * chore: change default branch name in .releaserc.js
2021-09-14 15:13:44 +02:00 · 2021-09-14 15:13:44 +02:00 · a63fbee93d
commit a63fbee93d
parent 2b5b436c41
7 changed files with 453 additions and 32 deletions
--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -39,6 +39,7 @@ var (
 	ErrSignatureMultiple       = errors.New("id_token contains multiple signatures")
 	ErrSignatureUnsupportedAlg = errors.New("signature algorithm not supported")
 	ErrSignatureInvalidPayload = errors.New("signature does not match Payload")
+	ErrSignatureInvalid        = errors.New("invalid signature")
 	ErrExpired                 = errors.New("token has expired")
 	ErrIatMissing              = errors.New("issuedAt of token is missing")
 	ErrIatInFuture             = errors.New("issuedAt of token is in the future")
@ -143,7 +144,7 @@ func CheckSignature(ctx context.Context, token string, payload []byte, claims Cl

 	signedPayload, err := set.VerifySignature(ctx, jws)
 	if err != nil {
-		return err
+		return fmt.Errorf("%w (%v)", ErrSignatureInvalid, err)
 	}

 	if !bytes.Equal(signedPayload, payload) {