Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Default to RFC 7638 kid fingerprint generation #194

Merged
merged 1 commit into from
May 12, 2023
Merged

Default to RFC 7638 kid fingerprint generation #194

merged 1 commit into from
May 12, 2023

Conversation

stanhu
Copy link
Contributor

@stanhu stanhu commented Apr 13, 2023

The switch from the json-jwt to jwt gem in #177 changed the default kid generation from RFC 7638
(https://www.rfc-editor.org/rfc/rfc7638) to a format based on the SHA256 digest of the key elements.

However, clients may fail if the the kid generated by IdToken does not match a key listed in JWKS discovery endpoint, which may be implemented by the application using RFC 7638-based kid values. To restore the previous behavior, applications have to set a global setting:

JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint

However, relying on this global setting is not ideal since other keys may depend on the legacy kid values.

In keeping with semantic versioning, restore the kid generation to RFC 7638. Whether this should be customizable can be discussed later.

Closes #193

@stanhu
Copy link
Contributor Author

stanhu commented Apr 13, 2023

Failing tests will be fixed by #195.

@stanhu stanhu mentioned this pull request Apr 13, 2023
Closed
@jessieay
Copy link

Thank you for the detailed explanation on these kid formats @stanhu ! TIL RFC 7638 exists :)

@stanhu
Copy link
Contributor Author

stanhu commented May 5, 2023

@nbulaj Could you also take a look at this one?

@stanhu
Default to RFC 7638 kid fingerprint generation
4f830ec 
The switch from the `json-jwt` to `jwt` gem in doorkeeper-gem#177 changed the
default `kid` generation from RFC 7638
(https://www.rfc-editor.org/rfc/rfc7638) to a format based on the
SHA256 digest of the key elements.

However, clients may fail if the the `kid` generated by `IdToken` does
not match a key listed in JWKS discovery endpoint, which may be
implemented by the application using RFC 7638-based `kid` values. To
restore the previous behavior, applications have to set a global
setting:

```
JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint
```

However, relying on this global setting is not ideal since other keys
may depend on the legacy `kid` values.

In keeping with semantic versioning, restore the `kid` generation to
RFC 7638. Whether this should be customizable can be discussed later.

Closes doorkeeper-gem#193
nbulaj
nbulaj approved these changes May 12, 2023
View reviewed changes
Copy link
Member

@nbulaj nbulaj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 👍

@nbulaj nbulaj merged commit ec3d41b into doorkeeper-gem:master May 12, 2023
@nbulaj
Copy link
Member

nbulaj commented May 12, 2023

Released with 1.8.6

@michael-cybrid michael-cybrid mentioned this pull request May 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jessieay jessieay jessieay left review comments

@nbulaj nbulaj nbulaj approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

kid value in headers in different format after upgrading from 1.8.3 to 1.8.5
3 participants
@stanhu @jessieay @nbulaj