how to work with jwk that has jwa RSA-OAEP-256

[blankdots]

Not sure this is an issue so I am starting a discussion:

I am trying to verify a token ( with jwt.Parse as described here: https://github.com/lestrrat-go/jwx/blob/main/docs/01-jwt.md#parse-and-verify-a-jwt-with-single-key ) for which the jwk has as an algorithm RSA-OAEP-256. I use jwk.Fetch to get the keyset and use it in the verification.

If I use jwt.InferAlgorithmFromKey(true) i get: invalid jwa.SignatureAlgorithm which seems to be a know alg for JWE https://www.rfc-editor.org/rfc/rfc7518.html#section-4.1 I suspect the implementation of the JWK endpoint which i am using wrongly assumes RSA-OAEP-256 is a signature algorithm

Am i doing something wrong, or how should i approach this verification?

[lestrrat]

@blankdots can you show us the code and/or the token?

[blankdots]

should be this: https://github.com/neicnordic/sda-download/blob/feature/jwx-whitelist/pkg/auth/auth.go#L50-L81 - any other improvements are welcomed. it fails on line 68.

but in the meantime i did figure out that the JWK endpoint was configured with a JWE key alg instead of a JWS key, so i think that is expected behaviour, but for some reason I can force RS256 verify on it.

[lestrrat]

Thanks, but unfortunately, the code doesn't tell me much. I need something a bit more concrete, reproducible.

[blankdots]

this can be closed, it is not required any more, managed to solve. It was my misunderstanding.