Merge pull request #3223 from Infisical/misc/improve-support-for-jwks-via-http

misc: improve support for jwks via http
2025-03-14 10:27:49 +00:00 · 2025-03-11 23:02:17 +05:30
parent 20477ce2b0 4dc56033b1
commit c19016e6e6
1 changed files with 16 additions and 8 deletions
--- a/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
+++ b/backend/src/services/identity-jwt-auth/identity-jwt-auth-service.ts
@ -78,14 +78,22 @@ export const identityJwtAuthServiceFactory = ({
    let tokenData: Record<string, string | boolean | number> = {};

    if (identityJwtAuth.configurationType === JwtConfigurationType.JWKS) {
-      const decryptedJwksCaCert = orgDataKeyDecryptor({
-        cipherTextBlob: identityJwtAuth.encryptedJwksCaCert
-      }).toString();
-      const requestAgent = new https.Agent({ ca: decryptedJwksCaCert, rejectUnauthorized: !!decryptedJwksCaCert });
-      const client = new JwksClient({
-        jwksUri: identityJwtAuth.jwksUrl,
-        requestAgent
-      });
+      let client: JwksClient;
+      if (identityJwtAuth.jwksUrl.includes("https:")) {
+        const decryptedJwksCaCert = orgDataKeyDecryptor({
+          cipherTextBlob: identityJwtAuth.encryptedJwksCaCert
+        }).toString();
+
+        const requestAgent = new https.Agent({ ca: decryptedJwksCaCert, rejectUnauthorized: !!decryptedJwksCaCert });
+        client = new JwksClient({
+          jwksUri: identityJwtAuth.jwksUrl,
+          requestAgent
+        });
+      } else {
+        client = new JwksClient({
+          jwksUri: identityJwtAuth.jwksUrl
+        });
+      }

      const { kid } = decodedToken.header;
      const jwtSigningKey = await client.getSigningKey(kid);