magento2#32636: Improved JWK check in the JwsManager class to account for cases when the algorithm is set directly in headers

Author: bgorski

app/code/Magento/JwtFrameworkAdapter/Model/JwsManager.php

@@ -93,18 +93,17 @@ public function build(JwsInterface $jws, EncryptionSettingsInterface $encryption
         $builder = $builder->withPayload($jws->getPayload()->getContent());
         for ($i = 0; $i < $signaturesCount; $i++) {
             $jwk = $encryptionSettings->getJwkSet()->getKeys()[$i];
-            $alg = $jwk->getAlgorithm();
-            if (!$alg) {
-                throw new EncryptionException('Algorithm is required for JWKs');
-            }
             $protected = [];
             if ($jws->getPayload()->getContentType()) {
                 $protected['cty'] = $jws->getPayload()->getContentType();
             }
             if ($jws->getProtectedHeaders()) {
                 $protected = $this->extractHeaderData($jws->getProtectedHeaders()[$i]);
             }
-            $protected['alg'] = $alg;
+            $protected['alg'] = $protected['alg'] ?? $jwk->getAlgorithm();
+            if (!$protected['alg']) {
+                throw new EncryptionException('Algorithm is required for JWKs');
+            }
             $unprotected = [];
             if ($jws->getUnprotectedHeaders()) {
                 $unprotected = $this->extractHeaderData($jws->getUnprotectedHeaders()[$i]);