NPE thrown when JWKs verification fails and log level is DEBUG #1839
Assignees
Comments
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Expected Behavior
The code should probably check that JWK::getAlgorithm does not return null
Actual Behaviour
NPE is thrown here: https://github.com/micronaut-projects/micronaut-security/blob/4.11.x/security-jwt/src/main/java/io/micronaut/security/token/jwt/signature/jwks/JwksSignatureUtils.java#L109
Steps To Reproduce
Try to verify a token which is not valid using a public key which does not have an algorithm specified, with log level set to DEBUG.
The call from here:
micronaut-security/security-jwt/src/main/java/io/micronaut/security/token/jwt/nimbus/ReactiveJwksSignature.java
Line 80 in c90cb48
to here: https://github.com/micronaut-projects/micronaut-security/blob/4.11.x/security-jwt/src/main/java/io/micronaut/security/token/jwt/signature/jwks/JwksSignatureUtils.java#L109
results in NPE as algorithm is not checked for null. According to RFC, I think it's allowed to be null, so maybe Micronaut should add a check to cover this? https://datatracker.ietf.org/doc/html/rfc7517#section-4.4
Environment Information
Linux/MacOS and Java 21
Example Application
No response
Version
4.11
The text was updated successfully, but these errors were encountered: