From 8dd0679887d1b345aa3a655f36998c26ee9e5b21 Mon Sep 17 00:00:00 2001 From: Jeff Anderson Date: Wed, 21 Aug 2024 09:43:06 -0400 Subject: [PATCH] Set the key id in JWT (#45350) * Set the key id in JWT Some JWT libraries panic with multiple keys present in the JWKS. A second JWKS key entry was added in #40998 Fixes #44245 * Update lib/jwt/jwt.go Co-authored-by: Zac Bergquist * fix compile error --------- Co-authored-by: Zac Bergquist --- lib/jwt/jwt.go | 8 +++++++- lib/jwt/jwt_test.go | 7 +++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/jwt/jwt.go b/lib/jwt/jwt.go index 696b444e4b39c..e6b6b63b48a45 100644 --- a/lib/jwt/jwt.go +++ b/lib/jwt/jwt.go @@ -206,7 +206,13 @@ func (k *Key) Sign(p SignParams) (string, error) { Traits: p.Traits, } - return k.sign(claims, nil) + // RFC 7517 requires that `kid` be present in the JWT header if there are multiple keys in the JWKS. + // We ignore the error because go-jose omits the kid if it is empty. + so := &jose.SignerOptions{} + if v, ok := k.config.PublicKey.(*rsa.PublicKey); ok { + so.WithHeader("kid", KeyID(v)) + } + return k.sign(claims, so) } // awsOIDCCustomClaims defines the require claims for the JWT token used in AWS OIDC Integration. diff --git a/lib/jwt/jwt_test.go b/lib/jwt/jwt_test.go index 1c30979f8d406..5aafe35a5d27d 100644 --- a/lib/jwt/jwt_test.go +++ b/lib/jwt/jwt_test.go @@ -57,6 +57,13 @@ func TestSignAndVerify(t *testing.T) { }) require.NoError(t, err) + //decode the signed token + decodedToken, err := josejwt.ParseSigned(token) + require.NoError(t, err) + + // verify that the kid header is present, and not empty + require.NotEmpty(t, decodedToken.Headers[0].KeyID) + // Verify that the token can be validated and values match expected values. claims, err := key.Verify(VerifyParams{ Username: "foo@example.com",