This repository was archived by the owner on Oct 10, 2025. It is now read-only.
feat: fallback to getUser() if the kid of the JWT is not found
#1080
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cemalkilic
approved these changes
Jul 9, 2025
hf
force-pushed
the
hf/fallback-to-get-user-if-key-not-found
branch
from
0d94405 to
3359275
Compare
hf
force-pushed
the
hf/fallback-to-get-user-if-key-not-found
branch
from
3359275 to
361baf1
Compare
hf
pushed a commit
that referenced
this pull request
Jul 14, 2025
🤖 I have created a release *beep* *boop* --- ## [2.71.0](v2.70.0...v2.71.0) (2025-07-10) ### Features * fallback to `getUser()` if the `kid` of the JWT is not found ([#1080](#1080)) ([9721f60](9721f60)) * introduce experimental split user and session storage ([#1023](#1023)) ([e7b2f21](e7b2f21)) * make `getClaims()` non experimental, add global cache ([#1078](#1078)) ([ffe13d7](ffe13d7)) * remove solana dependency by inlining types ([#1079](#1079)) ([7665f94](7665f94)) ### Bug Fixes * handle null current session with split session storage ([#1071](#1071)) ([bc6192a](bc6192a)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
mandarini
pushed a commit
to supabase/supabase-js
that referenced
this pull request
Oct 2, 2025
🤖 I have created a release *beep* *boop* --- ## [2.71.0](supabase/auth-js@v2.70.0...v2.71.0) (2025-07-10) ### Features * fallback to `getUser()` if the `kid` of the JWT is not found ([#1080](supabase/auth-js#1080)) ([9867cd1](supabase/auth-js@9867cd1)) * introduce experimental split user and session storage ([#1023](supabase/auth-js#1023)) ([b3ea493](supabase/auth-js@b3ea493)) * make `getClaims()` non experimental, add global cache ([#1078](supabase/auth-js#1078)) ([ce77cbf](supabase/auth-js@ce77cbf)) * remove solana dependency by inlining types ([#1079](supabase/auth-js#1079)) ([9824c9b](supabase/auth-js@9824c9b)) ### Bug Fixes * handle null current session with split session storage ([#1071](supabase/auth-js#1071)) ([69aca6f](supabase/auth-js@69aca6f)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
grdsdev
added a commit
to supabase/supabase-flutter
that referenced
this pull request
Oct 6, 2025
Updates getClaims() documentation and comments to clarify that the method always uses server-side verification via getUser(). This approach gracefully handles edge cases such as: - Key rotation scenarios where JWKS cache might not have the new signing key - Symmetric JWTs (HS256) that require server-side verification - Revoked or invalidated tokens that are still unexpired This aligns the implementation intent with the auth-js behavior where getClaims() falls back to getUser() when the signing key is not found in JWKS or when client-side verification is not available. The Flutter implementation uses this server-side verification approach for all JWT types, providing robust and consistent validation regardless of the signing algorithm. Related: supabase/auth-js#1080 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Because the
/.well-known/jwks.jsonis heavily cached, a developer may rotate the standby key to in use faster than those caches expire. In that case thegetClaims()method may receive a JWT signed with a key ID it doesn't recognize. Instead of failing with an error, it should reach out directly to the Auth server to verify the JWT.