Fixed issue with kid order confusion (#60)

We incorrectly looped over the values of a map, which in Go is in an indeterministic order. This lead to some confusion of KIDs, if multiple public keys were used. This in turn made some tests fail randomly. Fixes #42
oxisto · Apr 9, 2023 · 52655f5 · 52655f5
1 parent 890d5e8
commit 52655f5
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 8 deletions.
diff --git a/integration_test.go b/integration_test.go
@@ -47,7 +47,7 @@ func TestIntegration(t *testing.T) {
 	jwtoken, err := jwt.ParseWithClaims(token.AccessToken, &jwt.RegisteredClaims{}, func(t *jwt.Token) (interface{}, error) {
 		kid, _ := strconv.ParseInt(t.Header["kid"].(string), 10, 64)
 
-		return srv.PublicKeys()[kid], nil
+		return srv.PublicKeys()[int(kid)], nil
 	})
 	if err != nil {
 		t.Errorf("Error while retrieving a token: %v", err)

diff --git a/server.go b/server.go
@@ -138,12 +138,13 @@ func NewServer(addr string, opts ...AuthorizationServerOption) *AuthorizationSer
 	return srv
 }
 
-// PublicKey returns the public keys of the signing key of this authorization server.
-func (srv *AuthorizationServer) PublicKeys() []*ecdsa.PublicKey {
-	var keys = []*ecdsa.PublicKey{}
+// PublicKey returns the public keys of the signing key of this authorization
+// server in a map, indexed by its kid.
+func (srv *AuthorizationServer) PublicKeys() map[int]*ecdsa.PublicKey {
+	var keys = make(map[int]*ecdsa.PublicKey, len(srv.signingKeys))
 
-	for _, k := range srv.signingKeys {
-		keys = append(keys, &k.PublicKey)
+	for kid, key := range srv.signingKeys {
+		keys[kid] = &key.PublicKey
 	}
 
 	return keys
@@ -266,7 +267,7 @@ func (srv *AuthorizationServer) doRefreshTokenFlow(w http.ResponseWriter, r *htt
 	_, err = jwt.ParseWithClaims(refreshToken, &claims, func(t *jwt.Token) (interface{}, error) {
 		kid, _ := strconv.ParseInt(t.Header["kid"].(string), 10, 64)
 
-		return srv.PublicKeys()[kid], nil
+		return srv.PublicKeys()[int(kid)], nil
 	})
 	if err != nil {
 		fmt.Printf("%+v", err)

diff --git a/server_test.go b/server_test.go
@@ -10,6 +10,7 @@ import (
 	"math/big"
 	"net/http"
 	"net/http/httptest"
+	"os"
 	"reflect"
 	"strings"
 	"testing"
@@ -46,7 +47,7 @@ var testChallenge = GenerateCodeChallenge(testVerifier)
 // testRefreshTokenClientKID1MockSingingKey is a valid refresh token signed by mockSigningKey with the KID 1
 var testRefreshTokenClientKID1MockSingingKey string
 
-func init() {
+func TestMain(m *testing.M) {
 	var (
 		err error
 		t   *jwt.Token
@@ -66,6 +67,8 @@ func init() {
 	if err != nil {
 		panic(err)
 	}
+
+	os.Exit(m.Run())
 }
 
 func TestAuthorizationServer_handleToken(t *testing.T) {