magento2#32636: Improved JWK check in the JwsManager class to account…

[bgorski]

… for cases when the algorithm is set directly in headers

Description (*)

This PR improves JWK check in the JwsManager class to account for situations when the algorithm is set directly in the header, which is a perfectly valid use case.
More description is available on the issue linked below along with examples. Those examples describe a use case where I simply couldn't achieve what I needed using Magento module and ended up having to do it using its dependency package directly, completely omitting the Magento wrapper implementation.

Related Pull Requests

Fixed Issues (if relevant)

1. Fixes JWK check limits possible use cases for the JWT Framework Adapter #32636

Manual testing scenarios (*)

Run the following piece of test code:

        $secret = "ZXF1YXRpb24tS2VudHVja3ktY29udGludWVkLWRpZmZlcmVuY2U=";
        $payload = json_encode([
            'MyCustomValue' => 'some value', //not important at all
            'nbf' => time(),
            'exp' => time() + 600,
            'iat' => time()
        ]);
        $header = [
            'alg' => 'HS256',
            'typ' => 'JWT'
        ];

        $objectManager = \Magento\Framework\App\ObjectManager::getInstance();

        /** @var \Magento\Framework\Jwt\JwkFactory $jwkFactory */
        $jwkFactory = $objectManager->create(\Magento\Framework\Jwt\JwkFactory::class);
        $jwk = $jwkFactory->createFromData(['kty' => 'oct', 'k' => $secret]);

        /** @var \Magento\JwtFrameworkAdapter\Model\JwsFactory $jwsFactory */
        $jwsFactory = $objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsFactory::class);
        $jws = $jwsFactory->create($header, $payload, null);

        /** @var \Magento\Framework\Jwt\Jws\JwsSignatureSettingsInterface $encryptionSettings */
        $encryptionSettings = $objectManager->create(
            \Magento\Framework\Jwt\Jws\JwsSignatureJwks::class,
            [
                'jwk' => $jwk
            ]
        );

        /** @var \Magento\JwtFrameworkAdapter\Model\JwsManager $jwsManager */
        $jwsManager = $objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsManager::class);

        $token = $jwsManager->build($jws, $encryptionSettings);

The expected result is a token, not an exception.

Questions or comments

Contribution checklist (*)

• Pull request has a meaningful description of its purpose
• All commits are accompanied by meaningful commit messages
• All new or changed code is covered with unit/integration tests (if applicable)
• All automated tests passed successfully (all builds are green)

[m2-assistant]

Hi @bgorski. Thank you for your contribution
Here are some useful tips how you can test your changes using Magento test environment.
Add the comment under your pull request to deploy test or vanilla Magento instance:

• @magento give me test instance - deploy test instance based on PR changes
• @magento give me 2.4-develop instance - deploy vanilla Magento instance

❗ Automated tests can be triggered manually with an appropriate comment:

• @magento run all tests - run or re-run all required tests against the PR changes
• @magento run <test-build(s)> - run or re-run specific test build(s)
  For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names. Allowed build names are:

1. Database Compare
2. Functional Tests CE
3. Functional Tests EE,
4. Functional Tests B2B
5. Integration Tests
6. Magento Health Index
7. Sample Data Tests CE
8. Sample Data Tests EE
9. Sample Data Tests B2B
10. Static Tests
11. Unit Tests
12. WebAPI Tests
13. Semantic Version Checker

You can find more information about the builds here

ℹ️ Please run only needed test builds instead of all when developing. Please run all test builds before sending your PR for review.

For more details, please, review the Magento Contributor Guide documentation.

⚠️ According to the Magento Contribution requirements, all Pull Requests must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

🕙 You can find the schedule on the Magento Community Calendar page.

📞 The triage of Pull Requests happens in the queue order. If you want to speed up the delivery of your contribution, please join the Community Contributions Triage session to discuss the appropriate ticket.

🎥 You can find the recording of the previous Community Contributions Triage on the Magento Youtube Channel

✏️ Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

[bgorski]

@magento run all tests

[bgorski]

@magento run Functional Tests EE

[magento-engcom-team]

Hi @ihor-sviziev, thank you for the review.
ENGCOM-8999 has been created to process this Pull Request
✳️ @ihor-sviziev, could you please add one of the following labels to the Pull Request?

Label	Description
Auto-Tests: Covered	All changes in Pull Request is covered by auto-tests
Auto-Tests: Not Covered	Changes in Pull Request requires coverage by auto-tests
Auto-Tests: Not Required	Changes in Pull Request does not require coverage by auto-tests

[engcom-Alfa]

✔️ QA Passed

Preconditions:

1. Have a Magento instance installed
2. Create a new custom module with Index.php to execute the any simple code.

Manual testing scenario:

1. Place the complete code available in the above-description in the Index.php to execute it.

2. Also append with one more line of echo statement at the end to display the token value.

3. Run the code in the browser to see the output of it.

Before: ✖️ Getting an exception saying "Algorithm is required for JWKs"

After: ✔️ Token value is getting returned successfully.

There is no other testing is required as part of regression on this!

[m2-assistant]

Hi @bgorski, thank you for your contribution!
Please, complete Contribution Survey, it will take less than a minute.
Your feedback will help us to improve contribution process.