JWT shouldn't have a "kid" when using symetric sign algorithm
Affected version
Version: 2.18.1
Platform: Nginx
Summary
When using HS256 (or 384 | 512) as ID Token signature algorithm in an OpenIDConnect Relying Party, a "kid" property is added even though no asymetric key will be used. This confuses Apache mod-auth-openidc (latest version in Debian), who fails to verify signature and rejects the token.
Note : this manifests only because we do have RSA signing keys with a "kid" configured in OpenID Connect Service.
Possible fixes
I tried to remove the following three lines in Portal/Lib/OpenIDConnect.pm :
--- Portal/Lib/OpenIDConnect.pm.ori 2024-01-15 14:56:20.675925536 +0100
+++ Portal/Lib/OpenIDConnect.pm 2024-01-15 14:52:27.247075049 +0100
@@ -2267,9 +2267,6 @@
encode_jwt(
payload => to_json($payload),
alg => $alg,
- extra_headers => {
- kid => $self->conf->{oidcServiceKeyIdSig},
- },
@keyArg,
);
};
and it does seem to fix this problem (tested only with HS256 and RS256).
May be related to commit 7a407da7 ; seems like a previous issue #3066 (closed) was fixed two times in parallel :-)