Skip to content

auth: handle KeyProvider in Verify to fix go-jose unsupported key type error#1461

Open
ctonneslan wants to merge 1 commit intolivekit:mainfrom
ctonneslan:fix-verify-keyprovider
Open

auth: handle KeyProvider in Verify to fix go-jose unsupported key type error#1461
ctonneslan wants to merge 1 commit intolivekit:mainfrom
ctonneslan:fix-verify-keyprovider

Conversation

@ctonneslan
Copy link

@ctonneslan ctonneslan commented Mar 21, 2026

Fixes livekit/server-sdk-go#647

Problem

Verify(key interface{}) only handles string and []byte inputs. When a user passes a *SimpleKeyProvider (which implements the KeyProvider interface), the provider struct gets passed straight through to go-jose, which rejects it with go-jose: unsupported key type/format.

This is a pretty natural mistake to make since Verify takes interface{} and SimpleKeyProvider is the obvious thing to pair with ParseAPIToken. The existing tests all pass the secret string directly, so this path was never covered.

Fix

Added a type check for KeyProvider at the top of Verify. If the caller passes a provider, we resolve it to the secret string for the token's API key before converting to []byte. If the provider returns an empty secret (wrong key), we return ErrKeysMissing.

Tests

Two new test cases:

  • verify with KeyProvider: creates a token, verifies it with NewSimpleKeyProvider, checks claims
  • verify with KeyProvider wrong key returns error: verifies that a provider with the wrong key fails

All existing tests still pass.

@ctonneslan
auth: handle KeyProvider in Verify to fix go-jose unsupported key typ…
c691132 
…e error

Verify() accepts interface{} but only handled string and []byte. When
users pass a SimpleKeyProvider (which implements KeyProvider), go-jose
rejects it with 'unsupported key type/format' because it doesn't know
how to use a struct as an HMAC key.

Now Verify checks for the KeyProvider interface first, resolves it to
the secret string for the token's API key, and converts to []byte
before passing to go-jose.

Fixes livekit/server-sdk-go#647
@changeset-bot
Copy link

changeset-bot bot commented Mar 21, 2026

⚠️ No Changeset found

Latest commit: c691132

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

💥 An error occurred when fetching the changed packages and changesets in this PR 
Some errors occurred when validating the changesets config:
The package or glob expression "github.com/livekit/protocol" specified in the `fixed` option does not match any package in the project. You may have misspelled the package name or provided an invalid glob expression. Note that glob expressions must be defined according to https://www.npmjs.com/package/micromatch.

@CLAassistant
Copy link

CLAassistant commented Mar 21, 2026
edited
Loading

CLA assistant check
All committers have signed the CLA.

@ctonneslan ctonneslan mentioned this pull request Mar 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: go-jose: unsupported key type/format error when verifying token with SimpleKeyProvider and string secret

2 participants

@ctonneslan @CLAassistant