Azure B2C custom policy JWK has use of "enc" not "sig"

[tommy5dollar]

Hello,

I'm creating a remote JWK set from the jwks_uri inside of my openid-configuration file so I can verify a JWT using jwtVerify.

This works absolutely fine both with configurations from Auth0 and with default out-of-the-box user policies inside Azure B2C but I'm encountering an issue as soon as I use my own custom policy, even just using the template provided by Microsoft.

Essentially it seems that the issue is that the JWK provided by Azure for my custom policy has a use property set to "enc", not "sig", which causes the code that tries to find a matching kid to fail. If I comment out the candidate = jwk.use === 'sig' line in remote.js then jwtVerify works as expected.

This seems like odd behaviour from Microsoft is to blame and I'm happy to chase them about it, I was just keen to understand if you had any idea why this might be occurring, especially in case the error is a simple misconfiguration or bad code on my behalf.

Thanks in advance!

[panva]

I was just keen to understand if you had any idea why this might be occurring

@tommy5dollar none whatsoever, I have no insight into the Azure product landscape.

[tommy5dollar]

Thanks for the swift response!

In your view is it definitely incorrect behaviour (rather than just unusual behaviour) to provide a JWK with a use of "enc" that you can use to verify a JWT?

[panva]

Yes, such key cannot be used for any of the signing algorithms.