JWKS verify of Microsoft requires WithInferAlgorithmFromKey #1430

shyim · 2025-07-28T07:41:11Z

shyim
Jul 28, 2025

Hey,

I am trying to validate JWT of Microsoft against: https://login.microsoftonline.com/common/discovery/keys

After debugging for a while I came up that the Algorithm could not be detected and turning infering does fix it.

the key looks like this:

{
"kty": "RSA",
"use": "sig",
"kid": "JYhAcTPMZ_LX6DBlOWQ7Hn0NeXE",
"x5t": "JYhAcTPMZ_LX6DBlOWQ7Hn0NeXE",
"n": "otxHCrbdDCUhPHT05zemCxen_h3vbWY9BxgH5yL4HPhAfj8xFrn-B5vgySJKUj4yprzwkT-EfcCfpMNDgxvVHyzMzWQWk_XcYCA72Whkt4kZnEzk-oxeasJ2rJ7NIpWMdQbamfw4BT8GYyplE1Pd2oiBGTeW4qxJow5qVmu_xwqpdq0MiViNQMQgLmy1FElDweue2Hsr9PUF-bp1dFPSp1m1kqvpMBsLZd4-2cc-k3gl12PB0O3GbswwFdoKf9iN0mJ_0GdRRQiXm-BXpnOPNiTcYrLiz2wWCpYQrLmxpJhm3oqLPGWrQtyVeO8vUeLI0fW4wpjYCQK_KPEi1x7T2Q",
"e": "AQAB",
"x5c": [
"MIIC/jCCAeagAwIBAgIJAM5KoNE1LHYtMA0GCSqGSIb3DQEBCwUAMC0xKzApBgNVBAMTImFjY291bnRzLmFjY2Vzc2NvbnRyb2wud2luZG93cy5uZXQwHhcNMjUwNzA3MTQzMjA3WhcNMzAwNzA3MTQzMjA3WjAtMSswKQYDVQQDEyJhY2NvdW50cy5hY2Nlc3Njb250cm9sLndpbmRvd3MubmV0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAotxHCrbdDCUhPHT05zemCxen/h3vbWY9BxgH5yL4HPhAfj8xFrn+B5vgySJKUj4yprzwkT+EfcCfpMNDgxvVHyzMzWQWk/XcYCA72Whkt4kZnEzk+oxeasJ2rJ7NIpWMdQbamfw4BT8GYyplE1Pd2oiBGTeW4qxJow5qVmu/xwqpdq0MiViNQMQgLmy1FElDweue2Hsr9PUF+bp1dFPSp1m1kqvpMBsLZd4+2cc+k3gl12PB0O3GbswwFdoKf9iN0mJ/0GdRRQiXm+BXpnOPNiTcYrLiz2wWCpYQrLmxpJhm3oqLPGWrQtyVeO8vUeLI0fW4wpjYCQK/KPEi1x7T2QIDAQABoyEwHzAdBgNVHQ4EFgQUbmZcQgdPC+xHVw/WrRHiajm/FNIwDQYJKoZIhvcNAQELBQADggEBACVhPf9gP/hr7lLx8OCaGaAVEEQ+DGqMuSzHJTSgcGXwKsVbsHO7Ih39ERM+ZoUZoawARETLw7c0UW0iiBZsdBnjVhzaEHha/9tIXOs9THAqwNY6hhN4tYY9MOB4U5gBL7SaQnwelHsY6oQSavK/lA25e/t0Uxz2BOEWYy6/59n3Tu8AMRySz6Q1YnVO6Ww5pNBTjHV+8kFbsj3ln5C4rAoTBJwHSYdh6Yz9OZB7UGhVCzkYQ7FO5xJ1WW5FPezVl4Osnr/JhjwvAidcq4dKO7OGHTIaDa72IcJ9IFsPdCxaCIspz4A1zEX6C+Z8bONccUs5xeAeGwaZypw9XJW341M="
],
"cloud_instance_name": "microsoftonline.com"
},

Is it safe to turn this option on? and is it a missing feature that this does not work out of the box?

Thanks for this library! :)

Answered by shyim

Jul 28, 2025

ahh it's documented here

jwx/docs/01-jwt.md

Lines 453 to 455 in 5a2062d

     // Replace the above option with the following option if you know your key  
   // does not have an "alg"/ field (which is apparently the case for Azure tokens)  
   // jwt.WithKeySet(keyset, jws.WithInferAlgorithmFromKey(true)),  

 

View full answer

shyim · 2025-07-28T07:55:54Z

shyim
Jul 28, 2025
Author

ahh it's documented here

jwx/docs/01-jwt.md

Lines 453 to 455 in 5a2062d

    
           // Replace the above option with the following option if you know your key 
        
           // does not have an "alg"/ field (which is apparently the case for Azure tokens) 
        
           // jwt.WithKeySet(keyset, jws.WithInferAlgorithmFromKey(true)),

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

JWKS verify of Microsoft requires WithInferAlgorithmFromKey #1430

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

	// Replace the above option with the following option if you know your key
	// does not have an "alg"/ field (which is apparently the case for Azure tokens)
	// jwt.WithKeySet(keyset, jws.WithInferAlgorithmFromKey(true)),

Uh oh!

JWKS verify of Microsoft requires WithInferAlgorithmFromKey #1430

Uh oh!

shyim Jul 28, 2025

Replies: 1 comment

Uh oh!

shyim Jul 28, 2025 Author

shyim
Jul 28, 2025

shyim
Jul 28, 2025
Author