the library doesn't check token signature

[DmitryDD]

I've just quickly read the code and found that there is no access token's signature verification.

https://github.com/imagov/keycloak/blob/master/lib/keycloak.rb#L326

JWT.decode refresh_token, @public_key, false, { :algorithm => 'RS256' }

as you can see the third argument needs to be set as true to check the signature
https://github.com/jwt/ruby-jwt/blob/master/lib/jwt/decode.rb#L11-L31

here is a quick solution

public_key = "-----BEGIN PUBLIC KEY-----\n" +
 @public_key.scan(/.{1,64}/).join("\n") +
 "\n-----END PUBLIC KEY-----\n"

JWT.decode(token, OpenSSL::PKey::RSA.new(public_key), true, algorithm: 'RS256')

Hopefully, this would help someone
Cheers

[oskarpearson]

I found this too, and am absolutely mind-boggled that this is no verification of the access token's signature? Surely the the devs can't have done this in a supposed keycloak library?

https://www.cryptr.co/documentation/how-to-validate-jwt and https://docs.prismacloud.io/en/enterprise-edition/policy-reference/sast-policies/python-policies/sast-policy-54
@lvitals @g-portugues