[help] Is WithValidMethods parser option actually used?

[mean2me]

Hello everyone,

I cannot find in the codebase any place where the "validMethods" validation is actually performed. What is is used for?
Looking at the source code in the validator.go file I see the alg header claim is totally ignored.
I cannot find any difference by passing in the Parser's option "WithValidMethods" even if its usage is encouraged in the docs.

Am I right? Am I missing something?

Thanks in advance.

Cheers

[equalsgibson]

Hi @mean2me, the Validator struct provided is in place to validate the entity and entity attributes (claims) within the JWS Payload, and as such it should not be used to verify parameters in the JOSE Header or JWS Signature.

The alg parameter is part of the JOSE header.

If the WithValidMethods() option is used from this library, the given alg in the JWT is validated against the list provided to the WithValidMethods option.

This logic is defined here

https://github.com/golang-jwt/jwt/blob/e9547a11aa603c52a31e315cdcaa71d0f25b921a/parser.go

// ParseWithClaims parses, validates, and verifies like Parse, but supplies a default object implementing the Claims
// interface. This provides default values which can be overridden and allows a caller to use their own type, rather
// than the default MapClaims implementation of Claims.
//
// Note: If you provide a custom claim implementation that embeds one of the standard claims (such as RegisteredClaims),
// make sure that a) you either embed a non-pointer version of the claims or b) if you are using a pointer, allocate the
// proper memory for it before passing in the overall claims, otherwise you might run into a panic.
func (p *Parser) ParseWithClaims(tokenString string, claims Claims, keyFunc Keyfunc) (*Token, error) {
	token, parts, err := p.ParseUnverified(tokenString, claims)
	if err != nil {
		return token, err
	}

	// Verify signing method is in the required set
	if p.validMethods != nil {
		var signingMethodValid = false
		var alg = token.Method.Alg()
		for _, m := range p.validMethods {
			if m == alg {
				signingMethodValid = true
				break
			}
		}
		if !signingMethodValid {
			// signing method is not in the listed set
			return token, newError(fmt.Sprintf("signing method %v is invalid", alg), ErrTokenSignatureInvalid)
		}
	}

As a base example, this is also validated in the test file parser_test.go - specifically, the test supplies a token that has been signed with RS256, but the parser is set to only accept HS256.

As such, the test reports an expected error (and the error is validated as being jwt.ErrTokenSignatureInvalid)

Does this answer your question?