From c22c637511cf19c8ef6510242bb79565664a01e9 Mon Sep 17 00:00:00 2001
From: Tomas Kracmar <tomas.kracmar@cqre.net>
Date: Tue, 14 Apr 2026 16:38:14 +0200
Subject: [PATCH] fix: explicitly pass RS256 algorithm to jose.jwk.construct to
 handle JWKS keys without alg field

---
 backend/auth.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/auth.py b/backend/auth.py
index 746b923..2d45510 100644
--- a/backend/auth.py
+++ b/backend/auth.py
@@ -52,7 +52,7 @@ def _decode_token(token: str, jwks):
         if not key_dict:
             raise HTTPException(status_code=401, detail="Invalid token: signing key not found")
 
-        key = construct(key_dict)
+        key = construct(key_dict, algorithm="RS256")
         decode_kwargs = {"algorithms": ["RS256"]}
         if AUTH_CLIENT_ID:
             decode_kwargs["audience"] = AUTH_CLIENT_ID