fix: use up-to-date kid in JWT header when refreshing#3973
Conversation
tilgovi
force-pushed
the
refresh-kid
branch
4 times, most recently
from
576225f to
ed11711
Compare
|
Not sure if there's anything I should do about the CodeQL scanning results task failing. It seems spurious. |
aeneasr
left a comment
aeneasr
left a comment
There was a problem hiding this comment.
Thank you and good approach, some ideas to improve it further. I accepted the CodeQL issues
| "extra": { | ||
| } | ||
| }, | ||
| "headers": null, |
There was a problem hiding this comment.
Please keep the headers.extra keys, as changing them to null will potentially break webhook receivers.
| rotateJwks("hydra.jwt.access-token") | ||
| rotateJwks("hydra.openid.id-token") | ||
|
|
||
| cy.refreshTokenBrowser(client, tokensBefore.refresh_token).then( |
There was a problem hiding this comment.
This test isn't actually checking that the kid is set correctly, it only validates its non-equality. Can you please make sure that the kid is set correctly - either with a regex (expect a non-nil uuid) or some other way?
From the snapshots it looks like it was public:hydra.jwt.access-token before. What is the value now?
|
I pushed up three commits to restore the |
|
Also, please let me know how you'd like me to resolve conflicts, if at all. I can merge or rebase or squash at your preference. |
Co-authored-by: Randall Leeds <randall.leeds@nytimes.com>
|
I realized the checks wouldn't even run due to the conflict, so I rebased and squashed. |
|
And, I think the CI jobs flaked, but I can't re-run them. 😞 |
|
@aeneasr anything more I can do here? |
|
@aeneasr is it possible to get this change merged? |
6 participants
This PR is a variation on #3942 that attempts to solve the problem by letting fosite set the
kidheader of tokens and removing all of the code to explicitly set this header in JWTs.