add kid to JWT header

SUNET · Mar 13, 2024 · 36a8691 · 36a8691
1 parent c6bd080
commit 36a8691
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 2 deletions.
diff --git a/src/auth_server/flows.py b/src/auth_server/flows.py
@@ -390,7 +390,7 @@ async def create_auth_token(self) -> Optional[GrantResponse]:
         claims = await self.create_claims()
 
         # Create access token
-        token = jwt.JWT(header={"alg": "ES256"}, claims=claims.to_rfc7519())
+        token = jwt.JWT(header={"alg": "ES256", "kid": self.config.signing_key_id}, claims=claims.to_rfc7519())
         token.make_signed_token(key=self.signing_key)
         expires_in = None
         if claims.exp:
@@ -402,7 +402,7 @@ async def create_auth_token(self) -> Optional[GrantResponse]:
             expires_in=expires_in,
         )
         logger.info(f"OK:{self.state.key_reference}:{self.config.auth_token_audience}")
-        logger.debug(f"claims: {claims.dict(exclude_none=True)}")
+        logger.debug(f"claims: {claims.model_dump(exclude_none=True)}")
         return None
 
     async def finalize_transaction(self) -> Optional[GrantResponse]:

diff --git a/src/auth_server/tests/test_app.py b/src/auth_server/tests/test_app.py
@@ -124,6 +124,7 @@ def _get_access_token_claims(self, access_token: Dict, client: Optional[TestClie
         response = client.get("/.well-known/jwk.json")
         assert response.status_code == 200
         token = jwt.JWT(key=jwk.JWK(**response.json()), jwt=access_token["value"])
+        assert json.loads(token.header)["kid"] == response.json()["kid"]
         return json.loads(token.claims)
 
     def _get_transaction_state_by_id(self, transaction_id) -> TransactionState: