Default to RFC 7638 kid fingerprint generation

The switch from the `json-jwt` to `jwt` gem in #177 changed the default `kid` generation from RFC 7638 (https://www.rfc-editor.org/rfc/rfc7638) to a format based on the SHA256 digest of the key elements. However, clients may fail if the the `kid` generated by `IdToken` does not match a key listed in JWKS discovery endpoint, which may be implemented by the application using RFC 7638-based `kid` values. To restore the previous behavior, applications have to set a global setting: ``` JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint ``` However, relying on this global setting is not ideal since other keys may depend on the legacy `kid` values. In keeping with semantic versioning, restore the `kid` generation to RFC 7638. Whether this should be customizable can be discussed later. Closes #193
doorkeeper-gem · May 5, 2023 · f879da6 · f879da6
1 parent 5a02f87
commit f879da6
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 5 deletions.
diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb
@@ -48,7 +48,7 @@ def self.signing_key
         else
           OpenSSL::PKey.read(configuration.signing_key)
         end
-      ::JWT::JWK.new(key)
+      ::JWT::JWK.new(key, { kid_generator: JWT::JWK::Thumbprint })
     end
 
     def self.signing_key_normalized

diff --git a/spec/dummy/config/initializers/jwt.rb b/spec/dummy/config/initializers/jwt.rb
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -53,7 +53,6 @@
 
   # Reinitialize configuration after each example
   config.after do
-    load Rails.root.join('config/initializers/jwt.rb')
     load Rails.root.join('config/initializers/doorkeeper.rb')
     load Rails.root.join('config/initializers/doorkeeper_openid_connect.rb')
   end