Log missing kid when ID token verification fails

stanhu · stanhu · commit ab69caae5062 · 2024-09-10T10:38:37.000-07:00
This will help debug issues when the JWT is signed with an
unknown `kid`.
diff --git a/lib/omniauth/strategies/openid_connect.rb b/lib/omniauth/strategies/openid_connect.rb
@@ -317,7 +317,10 @@ def decode_id_token(id_token)
         # done. However, if there is no kid, then we try each key
         # individually to see if one works:
         # https://github.com/nov/json-jwt/pull/92#issuecomment-824654949
-        raise if decoded&.header&.key?('kid')
+        if decoded&.header&.key?('kid')
+          kid = decoded.header['kid']
+          raise JSON::JWK::Set::KidNotFound.new("kid '#{kid}' not found")
+        end
 
         decoded = decode_with_each_key!(id_token, keyset)
 
diff --git a/test/lib/omniauth/strategies/openid_connect_test.rb b/test/lib/omniauth/strategies/openid_connect_test.rb
@@ -338,9 +338,11 @@ def test_callback_phase_with_id_token_with_kid_and_no_matching_kid
         strategy.unstub(:user_info)
         strategy.call!('rack.session' => { 'omniauth.state' => state, 'omniauth.nonce' => nonce })
 
-        assert_raises JSON::JWK::Set::KidNotFound do
+        error = assert_raises JSON::JWK::Set::KidNotFound do
           strategy.callback_phase
         end
+
+        assert_match /kid '.*' not found/, error.message
       end
 
       def test_callback_phase_with_id_token_with_hs256
