fix: return HTTP 400 if key unmarshal fails

session/stub/jwk.es512.broken.json

@@ -0,0 +1,14 @@
+{
+  "keys": [
+    {
+      "use": "sig",
+      "kty": "EC",
+      "kid": "bc7f7afc-6742-427c-bb9e-164fe0f8b6a7",
+      "crv": "P-521",
+      "alg": "ES512",
+      "x": "ASj36HQOpsWiaGyzK1F0GkxXRt37R01M-OCWFk8rFqH8UnFBk0qnCmVYWv3pwVPPsN0CfFiaXTrV1gUSapkkDgWY",
+      "y": "ALf5bqXExUq6FzQNQg01hDhR2lOKzkrC02Bc6Alld8Zji3-echbimNZltoOi4MhXbSJeWHpU8wzb3v9XAAW4eovn",
+      "d": "ALP0Sf7cmcELc9CQ2bWd6Qs-YxMu0N9EYZhDmR6qbYdGnvv-lcGy_ySoEJD0vPMKagA8PHDvFhC7ORwP-sBIJ4O_"
+    }
+  ]
+

session/tokenizer.go

@@ -6,6 +6,7 @@ package session
 import (
 	"context"
 	"encoding/json"
+	"strings"
 	"time"
 
 	"go.opentelemetry.io/otel/trace"
@@ -70,6 +71,8 @@ func (s *Tokenizer) TokenizeSession(ctx context.Context, template string, sessio
 	if err != nil {
 		if errors.Is(err, jwksx.ErrUnableToFindKeyID) {
 			return errors.WithStack(herodot.ErrBadRequest.WithReasonf("Could not find key a suitable key for tokenization in the JWKS url."))
+		} else if strings.Contains(err.Error(), "failed to unmarshal JWK set: ") {
+			return errors.WithStack(herodot.ErrBadRequest.WithReasonf("%v", err.Error()))
 		}
 		return err
 	}

session/tokenizer_test.go

@@ -10,6 +10,8 @@ import (
 	"testing"
 	"time"
 
+	"github.com/ory/herodot"
+
 	"github.com/gofrs/uuid"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/lestrrat-go/jwx/jwk"
@@ -115,4 +117,11 @@ func TestTokenizer(t *testing.T) {
 
 		snapshotx.SnapshotT(t, token.Claims, snapshotx.ExceptPaths("jti"))
 	})
+
+	t.Run("case=rs512-with-broken-keyfile", func(t *testing.T) {
+		tid := "rs512-template"
+		setTokenizeConfig(conf, tid, "jwk.es512.broken.json", "file://stub/rs512-template.jsonnet")
+		err := tkn.TokenizeSession(ctx, tid, s)
+		require.ErrorIs(t, err, herodot.ErrBadRequest)
+	})
 }