Skip to content

Commit

Permalink
fix: default JWT.sign kid option value is false for HMAC signatures
Browse files Browse the repository at this point in the history
  • Loading branch information
panva committed Nov 27, 2019
1 parent d45f845 commit ce77388
Show file tree
Hide file tree
Showing 3 changed files with 36 additions and 5 deletions.
2 changes: 1 addition & 1 deletion docs/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -775,7 +775,7 @@ that will be used to sign with is either provided as part of the 'options.algori
the payload
- `jti`: `<string>` JWT ID, "jti" claim value, if provided it will replace "jti" found in the
payload
- `kid`: `<Boolean>` When true it pushes the key's "kid" to the JWT Header. **Default:** 'true'
- `kid`: `<Boolean>` When true it pushes the key's "kid" to the JWT Header. **Default:** 'true' for asymmetric keys, 'false' for symmetric keys.
- `nonce`: `<string>` ID Token Nonce, "nonce" claim value, if provided it will replace "nonce"
found in the payload. See [OpenID Connect Core 1.0][connect-core] for details.
- `notBefore`: `<string>` JWT Not Before, "nbf" claim value, specified as string which is added to
Expand Down
12 changes: 11 additions & 1 deletion lib/jwt/sign.js
Original file line number Diff line number Diff line change
Expand Up @@ -77,9 +77,19 @@ module.exports = (payload, key, options = {}) => {

key = getKey(key)

let includeKid

if (typeof options.kid === 'boolean') {
includeKid = kid
} else if (key.secret) {
includeKid = false
} else {
includeKid = true
}

return JWS.sign(payload, key, {
...header,
alg: algorithm || header.alg,
kid: kid ? key.kid : header.kid
kid: includeKid ? key.kid : header.kid
})
}
27 changes: 24 additions & 3 deletions test/jwt/sign.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -80,14 +80,35 @@ test('payload is used', t => {

test('options.header is used', t => {
const { header: { alg, kid, ...header } } = JWT.decode(JWT.sign({}, key, { header: { typ: 'JWT' } }), { complete: true })
t.is(kid, key.kid)
t.is(alg, 'HS256')
t.deepEqual(header, { typ: 'JWT' })
})

test('options.kid', t => {
const { header: { kid } } = JWT.decode(JWT.sign({}, key, { kid: false }), { complete: true })
test('options.kid for symmetric keys', t => {
let kid

;({ header: { kid } } = JWT.decode(JWT.sign({}, key), { complete: true }))
t.is(kid, undefined)

;({ header: { kid } } = JWT.decode(JWT.sign({}, key, { kid: false }), { complete: true }))
t.is(kid, undefined)

;({ header: { kid } } = JWT.decode(JWT.sign({}, key, { kid: true }), { complete: true }))
t.is(kid, key.kid)
})

test('options.kid for asymmetric keys', t => {
const key = JWK.generateSync('EC')
let kid

;({ header: { kid } } = JWT.decode(JWT.sign({}, key), { complete: true }))
t.is(kid, key.kid)

;({ header: { kid } } = JWT.decode(JWT.sign({}, key, { kid: false }), { complete: true }))
t.is(kid, undefined)

;({ header: { kid } } = JWT.decode(JWT.sign({}, key, { kid: true }), { complete: true }))
t.is(kid, key.kid)
})

test('options.subject', t => {
Expand Down

0 comments on commit ce77388

Please sign in to comment.