feat: Add Key ID (kid) support to JWT assertions #652
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Adds support for the 'kid' (Key ID) header parameter in JWT assertions, allowing clients to specify the key identifier used for signing. This improves key management and verification in systems consuming JWTs. Updates `OAuth2::Strategy::Assertion#build_assertion` to accept `kid` in `encoding_opts` and include it in the JWT header. Also adds a test case to verify the functionality.
Removes an unnecessary empty line within the `build_assertion` method for improved code style and consistency.
Updates `.rubocop_gradual.lock` due to changes in `spec/oauth2/strategy/assertion_spec.rb`. This reflects the introduction of the new `kid` test context.
|
@pboling would love to have your review on this. Thank you. 🙏🏽 |
Pull Request Test Coverage Report for Build 15272497358Details
💛 - Coveralls |
pboling
approved these changes
May 27, 2025
|
Kids are great! 😊 |
|
I will release this in 2.0.12 soon |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #652 +/- ##
===========================
===========================
☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
CodeCov has inexplicably stopped working. This repo still has 100% coverage, and uses coveralls as an alternative service. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Feature: Support Key ID (kid) in JWT Bearer Assertions (RFC 7515)
This pull request implements support for the
kid(Key ID) header parameter in JWT bearer assertions, as defined in RFC 7515 (JSON Web Signature - JWS).The
OAuth2::Strategy::Assertionclass currently constructs JWTs for client authentication and authorization grants. While it supports specifying thealg(algorithm), it lacks the mechanism to pass akid. Thekidparameter is highly recommended in scenarios where a signer has multiple keys or undergoes regular key rotation, as it allows the JWT recipient to efficiently locate the appropriate public key for signature validation.Motivation
To facilitate more robust and scalable OAuth2 client implementations, especially for integrations with providers that leverage
kidfor key discovery and management, this feature becomes essential. It aligns the library's JWT generation capabilities more closely with common production practices and the broader JWT ecosystem.Implementation Details
privatemethodbuild_assertionwithinOAuth2::Strategy::Assertionhas been modified.:kidkey within theencoding_optshash passed toget_token.:kidis provided, it is correctly added as a header parameter to the JWT usingJWT.encode(..., headers).kidis correctly embedded in the JWT header when supplied.