fix(jwks): filter unsupported key types in fixJwksAlg

[strobelpierre]

Summary

Fixes #823 — JWK::parseKeySet() crashes with DomainException: Unrecognised or unsupported EC curve when the OIDC provider's JWKS endpoint returns keys with types that Firebase JWT cannot parse (e.g. EC P-521 curve, certain OKP subtypes).

Root cause

fixJwksAlg() already identifies the matching key by comparing kty (key type family), but it returns the entire JWKS — including keys with incompatible types. Firebase JWT's parseKeySet() then iterates all keys and throws on the first unsupported one instead of skipping it (firebase/php-jwt#561).

Fix

Filter the JWKS to only include keys matching the expected kty before returning. This is a 5-line addition after the existing matching logic:

$jwks['keys'] = array_values(array_filter($jwks['keys'], function ($key) use ($expectedKty) {
    return ($key['kty'] ?? null) === $expectedKty;
}));

This way parseKeySet() never encounters unsupported key types.

Why not just update Firebase JWT?

Firebase JWT v6 and v7 both have this behavior — parseKey() throws DomainException for unsupported curves instead of returning null. The upstream issue (#561) has been open since 2023 with no fix merged.

Supersedes

This PR supersedes the draft PR #868 which only hardcoded P-521 removal. This approach is more general (filters by kty family) and works against the current main branch.

Test plan

• Added unit tests for fixJwksAlg with mixed key types (RSA + P-521 EC + OKP)
• Added unit test verifying EC keys are preserved when JWT uses ES256

[julien-nc]

Thanks a lot for this PR!

Why not filtering before the foreach loop? We skip the keys with the same condition as your filter anyway.

[strobelpierre]

Thanks a lot for this PR!

Why not filtering before the foreach loop? We skip the keys with the same condition as your filter anyway.

@julien-nc , done :D thx for the idea !

[julien-nc]

Thank you!

[strobelpierre]

Hi @julien-nc 👋

I've rebased the branch on latest main and squashed into a single clean commit. The CI workflows are pending approval — could you (or @juliusknorr / @rullzer) approve the workflow runs so the required checks can pass?

Thanks!

[geoffspace]

Tested and works for us!

[strobelpierre]

@geoffspace , thx for testing ❤️
@julien-nc , thx for merging 😄

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

(If you believe you should not receive this message, you can add yourself to the blocklist.)