oauth2-server-php icon indicating copy to clipboard operation
oauth2-server-php copied to clipboard

Published 20 hours ago verified publisher icon bshaffer

No easy way to customize JWT header

Open bshaffer opened this issue 10 years ago • 11 comments

The Jwt encryption class has the header hardcoded in the encode function, and requires quite a bit to override.

We should make sign protected, and make the headers editable (or pass them in when you encode the token in the first place)

bshaffer avatar Apr 02 '14 15:04 bshaffer

Agreed. If we want to support key rollover on the app side for OpenID Connect (something that Google does for its implementation), we need a way to stick the key id in that header.

bojanz avatar May 21 '14 19:05 bojanz

Yep, exactly. I'm doing this in my own implementation, but I've had to override the JWT class to do s— Brent Shaffer

On Wed, May 21, 2014 at 1:09 PM, Bojan Zivanovic [email protected] wrote:

Agreed. If we want to support key rollover on the app side for OpenID Connect (something that Google does for its implementation), we need a way to stick the key id in that header.

Reply to this email directly or view it on GitHub: https://github.com/bshaffer/oauth2-server-php/issues/363#issuecomment-43800838

bshaffer avatar May 22 '14 16:05 bshaffer

We'll either need to add a $kid param to encode() as well, or make the private key an array / object, no?

bojanz avatar May 27 '14 22:05 bojanz

I think we'd want something more robust, as there are many parameters available, not just "kid"

bshaffer avatar May 29 '14 22:05 bshaffer

implemented with https://github.com/bshaffer/oauth2-server-php/pull/795

svycka avatar Jun 08 '17 06:06 svycka

@svycka @bshaffer when will #795 be released?

clubery avatar Aug 26 '17 12:08 clubery

it is merged so in next release

On Sat, Aug 26, 2017, 15:30 clubery [email protected] wrote:

@svycka https://github.com/svycka @bshaffer https://github.com/bshaffer when will #795 https://github.com/bshaffer/oauth2-server-php/pull/795 be released?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/bshaffer/oauth2-server-php/issues/363#issuecomment-325122653, or mute the thread https://github.com/notifications/unsubscribe-auth/ABNj_oWq4KraYyxYcWUqfdgyppntO-BVks5scA_ggaJpZM4BvC_5 .

svycka avatar Aug 26 '17 14:08 svycka

@svycka I believe that you may be confusing the JWT header from the JWT payload. #795 made it easier to modify the payload; however the JWT header is generated later during the encodeToken phase.

BVMiko avatar May 22 '18 23:05 BVMiko

@BVMiko yes, you are right this is for payload, not a header

svycka avatar May 23 '18 05:05 svycka

The kid must be placed in the JWT header of the ID token.

menturion avatar Jan 06 '22 18:01 menturion

I believe we have this fixed downstream in the Drupal Oauth2_Server module:

https://github.com/matrix-org/synapse/issues/13747#issuecomment-1268719703 https://www.drupal.org/project/oauth2_server/issues/2288237#comment-14737774

natecovington avatar Oct 11 '22 14:10 natecovington