From 273c2a5a8867b2ec2a2fcbb6666630751d9cae8a Mon Sep 17 00:00:00 2001 From: Stan Hu Date: Wed, 12 Apr 2023 17:30:32 -0700 Subject: [PATCH] Default to RFC 7638 kid fingerprint generation The switch from the `json-jwt` to `jwt` gem in #177 changed the default `kid` generation from RFC 7638 (https://www.rfc-editor.org/rfc/rfc7638) to a format based on the SHA256 digest of the key elements. However, clients may fail if the the `kid` generated by `IdToken` does not match a key listed in JWKS discovery endpoint, which may be implemented by the application using RFC 7638-based `kid` values. To restore the previous behavior, applications have to set a global setting: ``` JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint ``` However, relying on this global setting is not ideal since other keys may depend on the legacy `kid` values. In keeping with semantic versioning, restore the `kid` generation to RFC 7638. Whether this should be customizable can be discussed later. Closes #193 --- lib/doorkeeper/openid_connect.rb | 2 +- spec/dummy/config/initializers/jwt.rb | 3 --- spec/rails_helper.rb | 1 - 3 files changed, 1 insertion(+), 5 deletions(-) delete mode 100644 spec/dummy/config/initializers/jwt.rb diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb index b2bca97..d20642e 100644 --- a/lib/doorkeeper/openid_connect.rb +++ b/lib/doorkeeper/openid_connect.rb @@ -48,7 +48,7 @@ def self.signing_key else OpenSSL::PKey.read(configuration.signing_key) end - ::JWT::JWK.new(key) + ::JWT::JWK.new(key, { kid_generator: JWT::JWK::Thumbprint }) end def self.signing_key_normalized diff --git a/spec/dummy/config/initializers/jwt.rb b/spec/dummy/config/initializers/jwt.rb deleted file mode 100644 index 5582ee5..0000000 --- a/spec/dummy/config/initializers/jwt.rb +++ /dev/null @@ -1,3 +0,0 @@ -# frozen_string_literal: true - -::JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb index ba7737d..79b9c48 100644 --- a/spec/rails_helper.rb +++ b/spec/rails_helper.rb @@ -53,7 +53,6 @@ # Reinitialize configuration after each example config.after do - load Rails.root.join('config/initializers/jwt.rb') load Rails.root.join('config/initializers/doorkeeper.rb') load Rails.root.join('config/initializers/doorkeeper_openid_connect.rb') end