From 39a6132ea86f0a8a70ba50b55a020a477a3bb1bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?K=C3=A9vin=20Commaille?= <zecakeh@tedomum.fr>
Date: Tue, 12 Mar 2024 12:01:31 +0100
Subject: [PATCH] Do not expose error type from mas-keystore in mas-oidc-client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The mas-keystore crate is an optional dependency so
setting "default-features" to false
results in a compilation error.

Since the enum is exhaustive, the corresponding error variant
cannot be behind a cargo feature.

Signed-off-by: Kévin Commaille <zecakeh@tedomum.fr>
---
 crates/oidc-client/src/error.rs                    | 5 ++---
 crates/oidc-client/src/types/client_credentials.rs | 5 ++++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/crates/oidc-client/src/error.rs b/crates/oidc-client/src/error.rs
index 2aeb158a..0c8972f9 100644
--- a/crates/oidc-client/src/error.rs
+++ b/crates/oidc-client/src/error.rs
@@ -24,7 +24,6 @@ use mas_jose::{
     jwa::InvalidAlgorithm,
     jwt::{JwtDecodeError, JwtSignatureError, NoKeyWorked},
 };
-use mas_keystore::WrongAlgorithmError;
 use oauth2_types::{
     errors::ClientErrorCode, oidc::ProviderMetadataVerificationError, pkce::CodeChallengeError,
 };
@@ -693,8 +692,8 @@ pub enum CredentialsError {
     JwtClaims(#[from] ClaimError),
 
     /// The key found cannot be used with the algorithm.
-    #[error(transparent)]
-    JwtWrongAlgorithm(#[from] WrongAlgorithmError),
+    #[error("Wrong algorithm for key")]
+    JwtWrongAlgorithm,
 
     /// An error occurred when signing the JWT.
     #[error(transparent)]
diff --git a/crates/oidc-client/src/types/client_credentials.rs b/crates/oidc-client/src/types/client_credentials.rs
index d760447d..c7c6d04f 100644
--- a/crates/oidc-client/src/types/client_credentials.rs
+++ b/crates/oidc-client/src/types/client_credentials.rs
@@ -340,7 +340,10 @@ impl RequestClientCredentials {
                         let key = keystore
                             .signing_key_for_algorithm(&signing_algorithm)
                             .ok_or(CredentialsError::NoPrivateKeyFound)?;
-                        let signer = key.params().signing_key_for_alg(&signing_algorithm)?;
+                        let signer = key
+                            .params()
+                            .signing_key_for_alg(&signing_algorithm)
+                            .map_err(|_| CredentialsError::JwtWrongAlgorithm)?;
                         let mut header = JsonWebSignatureHeader::new(signing_algorithm);
 
                         if let Some(kid) = key.kid() {