`kid` value in headers in different format after upgrading from 1.8.3 to 1.8.5 about doorkeeper-openid_connect HOT 2 CLOSED

The issue here is that with the switch to #177, the jwt gem defaults to a key generator of JWT::JWK::KidAsKeyDigest instead of JWT::JWK::Thumbprint, which implements RFC 7638: https://www.rfc-editor.org/rfc/rfc7638.

It's not obvious that applications need to set the generator to make the kid values backwards compatible with json-jwt:

JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint

This broke our application because we overrode Doorkeeper::OpenidConnect::DiscoveryController to export additional keys with RFC 7638 format via json-jwt, but Doorkeeper::OpenidConnect::IdToken uses a kid in the JWT::JWK::KidAsKeyDigest format. Clients would fail because the kid listed in the JWKS URL did not match the one provided in the token.

There is a json-jwt discussion to make RFC 7638 the default in a future version.

I think v1.8.x of this gem should default to the RFC7638 behavior:

diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb
index b2bca97..d20642e 100644
--- a/lib/doorkeeper/openid_connect.rb
+++ b/lib/doorkeeper/openid_connect.rb
@@ -48,7 +48,7 @@ module Doorkeeper
         else
           OpenSSL::PKey.read(configuration.signing_key)
         end
-      ::JWT::JWK.new(key)
+      ::JWT::JWK.new(key, { kid_generator: JWT::JWK::Thumbprint })
     end
 
     def self.signing_key_normalized

I'm not sure if this needs to be customized. What do you think @nbulaj @kristof-mattei?

from doorkeeper-openid_connect.

#194 does this.

from doorkeeper-openid_connect.