Should the JWK "use" parameter be optional?

[FenTiger]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe your problem

Counterpart to frontpagefyi/frontpage#237:

When using "private_key_jwt" authentication, Fosite refuses to accept keys which don't have "use": "sig".

RFC7517 states

Use of the "use" member is OPTIONAL, unless the application requires its presence.

Should there be a way to disable this check?

Describe your ideal solution

A way to disable this check; perhaps a way to customise the search for public keys without having to override the whole of DefaultClientAuthenticationStrategy().

Workarounds or alternatives

Adding the "use" parameter to frontpage.fyi's key, per frontpagefyi/frontpage#237

Version

v0.46.1

Additional Context

No response

[FenTiger]

See also: bluesky-social/atproto#3757

[james-d-elliott]

This is configurable. Just copy the strategy and make the adjustments you want then assign it appropriately.

[FenTiger]

Just copy the strategy

Yes, this is possible, but it doesn't seem ideal to have to make a local copy of >300 lines of code purely to make one small adjustment to it.

Mostly it does exactly what I want, so I think it would be far better to be able to "fine-tune" it rather than having to copy it wholesale and subsequently keep it up to date if/when it changes upstream.

[github-actions]

Hello contributors!

I am marking this issue as stale as it has not received any engagement from the community or maintainers for a year. That does not imply that the issue has no merit! If you feel strongly about this issue

• open a PR referencing and resolving the issue;
• leave a comment on it and discuss ideas on how you could contribute towards resolving it;
• leave a comment and describe in detail why this issue is critical for your use case;
• open a new issue with updated details and a plan for resolving the issue.

Throughout its lifetime, Ory has received over 10.000 issues and PRs. To sustain that growth, we need to prioritize and focus on issues that are important to the community. A good indication of importance, and thus priority, is activity on a topic.

Unfortunately, burnout has become a topic of concern amongst open-source projects.

It can lead to severe personal and health issues as well as opening catastrophic attack vectors.

The motivation for this automation is to help prioritize issues in the backlog and not ignore, reject, or belittle anyone.

If this issue was marked as stale erroneously you can exempt it by adding the backlog label, assigning someone, or setting a milestone for it.

Thank you for your understanding and to anyone who participated in the conversation! And as written above, please do participate in the conversation if this topic is important to you!

Thank you 🙏✌️

[mitar]

Still relevant.