Default to RFC 7638 kid fingerprint generation

The switch from the `json-jwt` to `jwt` gem in doorkeeper-gem#177 changed the default `kid` generation from RFC 7638 (https://www.rfc-editor.org/rfc/rfc7638) to a format based on the SHA256 digest of the key elements. However, clients may fail if the the `kid` generated by `IdToken` does not match a key listed in JWKS discovery endpoint, which may be implemented by the application using RFC 7638-based `kid` values. To restore the previous behavior, applications have to set a global setting: ``` JWT.configuration.jwk.kid_generator_type = :rfc7638_thumbprint ``` However, relying on this global setting is not ideal since other keys may depend on the legacy `kid` values. In keeping with semantic versioning, restore the `kid` generation to RFC 7638. Whether this should be customizable can be discussed later. Closes doorkeeper-gem#193
stanhu · May 10, 2023 · 4f830ec · 4f830ec
1 parent 5a02f87
commit 4f830ec
Show file tree

Hide file tree

Showing 4 changed files with 5 additions and 5 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## Unreleased
 
 - [#PR ID] Add your changelog entry here.
+- [#194] Default to RFC 7638 kid fingerprint generation (thanks to @stanhu).
 
 ## v1.8.5 (2023-02-02)
 
@@ -10,6 +11,9 @@
 
 ## v1.8.4 (2023-02-01)
 
+Note that v1.8.4 changed the default kid fingerprint generation from RFC 7638 to a format
+based on the SHA256 digest of the key element. To restore the previous behavior, upgrade to v1.8.6.
+
 - [#177] Replace `json-jwt` with `ruby-jwt` to align with doorkeeper-jwt (thanks to @kristof-mattei).
 - [#185] Don't call active_record_options for Doorkeeper >= 5.6.3 (thanks to @zavan).
 - [#183] Stop render consent screen when user is not logged-in (thanks to @nov).

diff --git a/lib/doorkeeper/openid_connect.rb b/lib/doorkeeper/openid_connect.rb
@@ -48,7 +48,7 @@ def self.signing_key
         else
           OpenSSL::PKey.read(configuration.signing_key)
         end
-      ::JWT::JWK.new(key)
+      ::JWT::JWK.new(key, { kid_generator: JWT::JWK::Thumbprint })
     end
 
     def self.signing_key_normalized

diff --git a/spec/dummy/config/initializers/jwt.rb b/spec/dummy/config/initializers/jwt.rb
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
@@ -53,7 +53,6 @@
 
   # Reinitialize configuration after each example
   config.after do
-    load Rails.root.join('config/initializers/jwt.rb')
     load Rails.root.join('config/initializers/doorkeeper.rb')
     load Rails.root.join('config/initializers/doorkeeper_openid_connect.rb')
   end