The JWT must contain the kid

Created on 18 June 2014, almost 11 years ago

Updated 23 January 2024, about 1 year ago

For OpenID Connect we generate keys once a day, following Google's lead.
However, the id_token doesn't contain the kid of the generating key, meaning that the client must make sure to refetch keys once a day, and store them properly by date, without having a way to identify which id_token corresponds to which key.

We should make sure kid is there.

🐛 Bug report

Status

Active

Version

2.0

Component

Code

Created by

🇷🇸Serbia bojanz

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
🇺🇸United States torgosPizza Portland, OR
Comment about 1 year ago →
🇺🇸United States torgosPizza Portland, OR
Sorry, I updated the summary. Undoing that.

I found a matching library issue https://github.com/bshaffer/oauth2-server-php/issues/363 and PR: https://github.com/bshaffer/oauth2-server-php/pull/932 which looks like it could resolve it in the Library itself, and then the D7 module (which we are still on, sadly) may need to be updated as well because if we remove a key during rotation then it will still cause tokens to fail decryption.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024