ENGCOM-8999: magento2#32636: Improved JWK check in the JwsManager class to account… #32637

Author: sidolov

app/code/Magento/JwtFrameworkAdapter/Model/JwsManager.php

@@ -93,10 +93,6 @@ public function build(JwsInterface $jws, EncryptionSettingsInterface $encryption
         $builder = $builder->withPayload($jws->getPayload()->getContent());
         for ($i = 0; $i < $signaturesCount; $i++) {
             $jwk = $encryptionSettings->getJwkSet()->getKeys()[$i];
-            $alg = $jwk->getAlgorithm();
-            if (!$alg) {
-                throw new EncryptionException('Algorithm is required for JWKs');
-            }
             $protected = [];
             if ($jws->getPayload()->getContentType()) {
                 $protected['cty'] = $jws->getPayload()->getContentType();
@@ -107,7 +103,10 @@ public function build(JwsInterface $jws, EncryptionSettingsInterface $encryption
             if ($jws->getProtectedHeaders()) {
                 $protected = array_merge($protected, $this->extractHeaderData($jws->getProtectedHeaders()[$i]));
             }
-            $protected['alg'] = $alg;
+            $protected['alg'] = $protected['alg'] ?? $jwk->getAlgorithm();
+            if (!$protected['alg']) {
+                throw new EncryptionException('Algorithm is required for JWKs');
+            }
             $unprotected = [];
             if ($jws->getUnprotectedHeaders()) {
                 $unprotected = $this->extractHeaderData($jws->getUnprotectedHeaders()[$i]);

dev/tests/integration/testsuite/Magento/JwtFrameworkAdapter/Model/JwsManagerTest.php

@@ -0,0 +1,59 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\JwtFrameworkAdapter\Model;
+
+class JwsManagerTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var \Magento\Framework\ObjectManagerInterface
+     */
+    private $objectManager;
+
+    protected function setUp(): void
+    {
+        $this->objectManager = \Magento\TestFramework\Helper\Bootstrap::getObjectManager();
+
+        parent::setUp();
+    }
+
+    public function testCreatingJwsWithAlgorithmSetInHeadersDirectly(): void
+    {
+        $secret = "ZXF1YXRpb24tS2VudHVja3ktY29udGludWVkLWRpZmZlcmVuY2U=";
+        $payload = json_encode([
+            'MyCustomClaim' => 'some value', // not important at all
+            'nbf' => time(),
+            'exp' => time() + 600,
+            'iat' => time()
+        ]);
+        $header = [
+            'alg' => 'HS256',
+            'typ' => 'JWT'
+        ];
+
+        /** @var \Magento\Framework\Jwt\JwkFactory $jwkFactory */
+        $jwkFactory = $this->objectManager->create(\Magento\Framework\Jwt\JwkFactory::class);
+        $jwk = $jwkFactory->createFromData(['kty' => 'oct', 'k' => $secret]);
+
+        /** @var \Magento\JwtFrameworkAdapter\Model\JwsFactory $jwsFactory */
+        $jwsFactory = $this->objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsFactory::class);
+        $jws = $jwsFactory->create($header, $payload, null);
+
+        /** @var \Magento\Framework\Jwt\Jws\JwsSignatureSettingsInterface $encryptionSettings */
+        $encryptionSettings = $this->objectManager->create(
+            \Magento\Framework\Jwt\Jws\JwsSignatureJwks::class,
+            [
+                'jwk' => $jwk
+            ]
+        );
+
+        /** @var \Magento\JwtFrameworkAdapter\Model\JwsManager $jwsManager */
+        $jwsManager = $this->objectManager->create(\Magento\JwtFrameworkAdapter\Model\JwsManager::class);
+
+        $token = $jwsManager->build($jws, $encryptionSettings);
+
+        $this->assertIsString($token);
+    }
+}