Merge pull request #16 from ThalesIgnite/kidVerificationFix

Re-enabled mandatory check for kid verification in JWT verifier
ThalesGroup · May 19, 2021 · 6d77caa · 6d77caa
2 parents 061890b + c0b3041
commit 6d77caa
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/jwt_verifier.go b/jwt_verifier.go
@@ -71,10 +71,10 @@ func (verifier *JwtVerifierImpl) Verify(jwt string, audience []string) (kid stri
 
 	// Though optional in the JWT spec we always require a Key ID to be present
 	// to resist various known attacks.
-	// if len(token.Header.Kid) == 0 {
-	// 	err = ErrInvalidKid
-	// 	return
-	// }
+	if len(token.Header.Kid) == 0 {
+		err = ErrInvalidKid
+		return
+	}
 	if len(token.Header.Kid) > 0 {
 		var key VerificationKey
 		key, err = verifier.store.Get(token.Claims.Issuer, token.Header.Kid)