allow jwt alg from token header

2026-05-31 08:43:37 +00:00 · 2026-04-03 19:31:23 +02:00
parent e7bac3b178
commit fa215009cd
1 changed files with 2 additions and 1 deletions
--- a/dlib/auth/oidc.py
+++ b/dlib/auth/oidc.py
@@ -74,11 +74,12 @@ class OidcTokenValidator:
        key = await self._get_key(header.get("kid"))
        if not key:
            raise TokenValidationError("Unable to resolve signing key")
+        alg = header.get("alg") or key.get("alg") or "RS256"
        try:
            claims = jwt.decode(
                token,
                key,
-                algorithms=[key.get("alg", "RS256")],
+                algorithms=[alg],
                audience=self.audience,
                issuer=self.issuer,
            )