Comments (2)
The issue here is that with the switch to #177, the jwt
gem defaults to a key generator of JWT::JWK::KidAsKeyDigest
instead of JWT::JWK::Thumbprint
, which implements RFC 7638: https://www.rfc-editor.org/rfc/rfc7638.
It's not obvious that applications need to set the generator to make the kid
values backwards compatible with json-jwt
:
JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint
This broke our application because we overrode Doorkeeper::OpenidConnect::DiscoveryController
to export additional keys with RFC 7638 format via json-jwt
, but Doorkeeper::OpenidConnect::IdToken
uses a kid
in the JWT::JWK::KidAsKeyDigest
format. Clients would fail because the kid
listed in the JWKS URL did not match the one provided in the token.
There is a json-jwt
discussion to make RFC 7638 the default in a future version.
I think v1.8.x of this gem should default to the RFC7638 behavior:
diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb
index b2bca97..d20642e 100644
--- a/lib/doorkeeper/openid_connect.rb
+++ b/lib/doorkeeper/openid_connect.rb
@@ -48,7 +48,7 @@ module Doorkeeper
else
OpenSSL::PKey.read(configuration.signing_key)
end
- ::JWT::JWK.new(key)
+ ::JWT::JWK.new(key, { kid_generator: JWT::JWK::Thumbprint })
end
def self.signing_key_normalized
I'm not sure if this needs to be customized. What do you think @nbulaj @kristof-mattei?
from doorkeeper-openid_connect.
#194 does this.
from doorkeeper-openid_connect.
Related Issues (20)
- Can `.well-known/openid-configuration` return an alternate uri for `jwks_uri` HOT 1
- fix issuer {} for `.well-known/openid-configuration` using blocks HOT 1
- Is it possible to configure and use Authentication Context Class References?
- `/.well-known/openid-configuration` crashes when `Doorkeeper.config.allow_token_introspection` is false HOT 1
- Shouldn't controllers inherit `Doorkeeper::ApplicationMetalController`? HOT 1
- Using `root_url` in `#webfinger_response` can violate specification
- `access_grant_class` is broken. HOT 7
- Possible to disable `client_secret_basic` for `token_endpoint_auth_methods_supported`?
- RP-initiated logout post_logout_redirect_uri is not validatable
- Broken with Doorkeeper v5.6.3
- uninitialized constant Doorkeeper::JWT::JWK in 1.8.4 HOT 8
- OpenID working with rails app HOT 5
- Support for sessions and session_state HOT 1
- Support multiple devise models
- Missing v1.8.5 tag HOT 2
- NameError: uninitialized constant Doorkeeper::JWT::JWK HOT 6
- kid is different for different versions of doorkeeper-openid_connect HOT 1
- Certificate verify failed from SSL
- Doorkeeper patch v5.6.8 modified exception handling to require objects instead of symbols HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from doorkeeper-openid_connect.