Add "kid" to token header.

KN4CK3R · KN4CK3R · commit a6c42be75db4 · 2021-06-15T07:37:00.000+02:00
diff --git a/models/oauth2_application.go b/models/oauth2_application.go
@@ -560,6 +560,7 @@ func ParseOAuth2Token(jwtToken string) (*OAuth2Token, error) {
 func (token *OAuth2Token) SignToken() (string, error) {
 	token.IssuedAt = time.Now().Unix()
 	jwtToken := jwt.NewWithClaims(oauth2.DefaultSigningKey.SigningMethod(), token)
+	oauth2.DefaultSigningKey.PreProcessToken(jwtToken)
 	return jwtToken.SignedString(oauth2.DefaultSigningKey.SignKey())
 }
 
@@ -586,5 +587,6 @@ type OIDCToken struct {
 func (token *OIDCToken) SignToken(signingKey oauth2.JWTSigningKey) (string, error) {
 	token.IssuedAt = time.Now().Unix()
 	jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)
+	signingKey.PreProcessToken(jwtToken)
 	return jwtToken.SignedString(signingKey.SignKey())
 }
diff --git a/modules/auth/oauth2/jwtsigningkey.go b/modules/auth/oauth2/jwtsigningkey.go
@@ -45,6 +45,7 @@ type JWTSigningKey interface {
 	SignKey() interface{}
 	VerifyKey() interface{}
 	ToJWK() (map[string]string, error)
+	PreProcessToken(*jwt.Token)
 }
 
 type hmacSingingKey struct {
@@ -75,9 +76,25 @@ func (key hmacSingingKey) ToJWK() (map[string]string, error) {
 	}, nil
 }
 
+func (key hmacSingingKey) PreProcessToken(*jwt.Token) {}
+
 type rsaSingingKey struct {
 	signingMethod jwt.SigningMethod
 	key           *rsa.PrivateKey
+	id            string
+}
+
+func newRSASingingKey(signingMethod jwt.SigningMethod, key *rsa.PrivateKey) (rsaSingingKey, error) {
+	kid, err := createPublicKeyFingerprint(key.Public().(*rsa.PublicKey))
+	if err != nil {
+		return rsaSingingKey{}, err
+	}
+
+	return rsaSingingKey{
+		signingMethod,
+		key,
+		base64.RawURLEncoding.EncodeToString(kid),
+	}, nil
 }
 
 func (key rsaSingingKey) IsSymmetric() bool {
@@ -99,23 +116,36 @@ func (key rsaSingingKey) VerifyKey() interface{} {
 func (key rsaSingingKey) ToJWK() (map[string]string, error) {
 	pubKey := key.key.Public().(*rsa.PublicKey)
 
-	kid, err := createPublicKeyFingerprint(pubKey)
-	if err != nil {
-		return nil, err
-	}
-
 	return map[string]string{
 		"kty": "RSA",
 		"alg": key.SigningMethod().Alg(),
-		"kid": base64.RawURLEncoding.EncodeToString(kid),
+		"kid": key.id,
 		"e":   base64.RawURLEncoding.EncodeToString(big.NewInt(int64(pubKey.E)).Bytes()),
 		"n":   base64.RawURLEncoding.EncodeToString(pubKey.N.Bytes()),
 	}, nil
 }
 
+func (key rsaSingingKey) PreProcessToken(token *jwt.Token) {
+	token.Header["kid"] = key.id
+}
+
 type ecdsaSingingKey struct {
 	signingMethod jwt.SigningMethod
 	key           *ecdsa.PrivateKey
+	id            string
+}
+
+func newECDSASingingKey(signingMethod jwt.SigningMethod, key *ecdsa.PrivateKey) (ecdsaSingingKey, error) {
+	kid, err := createPublicKeyFingerprint(key.Public().(*ecdsa.PublicKey))
+	if err != nil {
+		return ecdsaSingingKey{}, err
+	}
+
+	return ecdsaSingingKey{
+		signingMethod,
+		key,
+		base64.RawURLEncoding.EncodeToString(kid),
+	}, nil
 }
 
 func (key ecdsaSingingKey) IsSymmetric() bool {
@@ -137,21 +167,20 @@ func (key ecdsaSingingKey) VerifyKey() interface{} {
 func (key ecdsaSingingKey) ToJWK() (map[string]string, error) {
 	pubKey := key.key.Public().(*ecdsa.PublicKey)
 
-	kid, err := createPublicKeyFingerprint(pubKey)
-	if err != nil {
-		return nil, err
-	}
-
 	return map[string]string{
 		"kty": "EC",
 		"alg": key.SigningMethod().Alg(),
-		"kid": base64.RawURLEncoding.EncodeToString(kid),
+		"kid": key.id,
 		"crv": pubKey.Params().Name,
 		"x":   base64.RawURLEncoding.EncodeToString(pubKey.X.Bytes()),
 		"y":   base64.RawURLEncoding.EncodeToString(pubKey.Y.Bytes()),
 	}, nil
 }
 
+func (key ecdsaSingingKey) PreProcessToken(token *jwt.Token) {
+	token.Header["kid"] = key.id
+}
+
 // createPublicKeyFingerprint creates a fingerprint of the given key.
 // The fingerprint is the sha256 sum of the PKIX structure of the key.
 func createPublicKeyFingerprint(key interface{}) ([]byte, error) {
@@ -199,13 +228,13 @@ func CreateJWTSingingKey(algorithm string, key interface{}) (JWTSigningKey, erro
 		if !ok {
 			return nil, jwt.ErrInvalidKeyType
 		}
-		return ecdsaSingingKey{signingMethod, privateKey}, nil
+		return newECDSASingingKey(signingMethod, privateKey)
 	case *jwt.SigningMethodRSA:
 		privateKey, ok := key.(*rsa.PrivateKey)
 		if !ok {
 			return nil, jwt.ErrInvalidKeyType
 		}
-		return rsaSingingKey{signingMethod, privateKey}, nil
+		return newRSASingingKey(signingMethod, privateKey)
 	default:
 		secret, ok := key.([]byte)
 		if !ok {

Original file line number	Diff line number	Diff line change
`@@ -560,6 +560,7 @@ func ParseOAuth2Token(jwtToken string) (*OAuth2Token, error) {`
`560`	`560`	`func (token *OAuth2Token) SignToken() (string, error) {`
`561`	`561`	`token.IssuedAt = time.Now().Unix()`
`562`	`562`	`jwtToken := jwt.NewWithClaims(oauth2.DefaultSigningKey.SigningMethod(), token)`
	`563`	`+ oauth2.DefaultSigningKey.PreProcessToken(jwtToken)`
`563`	`564`	`return jwtToken.SignedString(oauth2.DefaultSigningKey.SignKey())`
`564`	`565`	`}`
`565`	`566`
`@@ -586,5 +587,6 @@ type OIDCToken struct {`
`586`	`587`	`func (token *OIDCToken) SignToken(signingKey oauth2.JWTSigningKey) (string, error) {`
`587`	`588`	`token.IssuedAt = time.Now().Unix()`
`588`	`589`	`jwtToken := jwt.NewWithClaims(signingKey.SigningMethod(), token)`
	`590`	`+ signingKey.PreProcessToken(jwtToken)`
`589`	`591`	`return jwtToken.SignedString(signingKey.SignKey())`
`590`	`592`	`}`