Skip to content

fix: when used with a JWK, the kid value is used to match a JWK k… #866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

fix: when used with a JWK, the kid value is used to match a JWK k… #866

wants to merge 2 commits into from

Conversation

@jcouyang
Copy link

@jcouyang jcouyang commented Oct 14, 2025
edited
Loading

…id parameter value.

There is a scenario when refresh a token after a key rotation, the kid may be overridden by the session kid which is the old one before rotation
will result in incorrect kid from the new issued access token header

according to RFC7515 4.1.4 kid in token header shall match jwk kid

Related Issue or Design Document

Checklist

  • I have read the contributing guidelines and signed the CLA.
  • I have referenced an issue containing the design document if my change introduces a new feature.
  • I have read the security policy.
  • I confirm that this pull request does not address a security vulnerability.
    If this pull request addresses a security vulnerability,
    I confirm that I got approval (please contact [email protected]) from the maintainers to push the changes.
  • I have added tests that prove my fix is effective or that my feature works.
  • I have added the necessary documentation within the code base (if appropriate).

Further comments

@jcouyang jcouyang requested review from a team and aeneasr as code owners October 14, 2025 02:02
@CLAassistant
Copy link

CLAassistant commented Oct 14, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@jcouyang jcouyang changed the title RFC7515: When used with a JWK, the kid value is used to match a JWK k… fix: When used with a JWK, the kid value is used to match a JWK k… Oct 14, 2025
@jcouyang jcouyang changed the title fix: When used with a JWK, the kid value is used to match a JWK k… fix: when used with a JWK, the kid value is used to match a JWK k… Oct 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jcouyang @CLAassistant