You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an assumption about how this bundle will be used which isn't immediately apparent. Specifically it is assumed that the JWTs which this bundle will authenticate are signed using the algo named in encoder.signature_algorithm. It's not immediately apparent that additonal_public_keys cannot be populated with the pubkeys of other JWT issuers who may sign using a variety of algos.
For example, if one doesn't change encoder.signature_algorithm from the default RS256, then one might be surprised to find the bundle treats as invalid JWTs signed using RS512, even when additonal_public_keys contains the corresponding pubkey.
The text was updated successfully, but these errors were encountered:
Forgive me if this is documented already.
There is an assumption about how this bundle will be used which isn't immediately apparent. Specifically it is assumed that the JWTs which this bundle will authenticate are signed using the algo named in
encoder.signature_algorithm
. It's not immediately apparent thatadditonal_public_keys
cannot be populated with the pubkeys of other JWT issuers who may sign using a variety of algos.For example, if one doesn't change
encoder.signature_algorithm
from the default RS256, then one might be surprised to find the bundle treats as invalid JWTs signed using RS512, even whenadditonal_public_keys
contains the corresponding pubkey.The text was updated successfully, but these errors were encountered: