-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wrong KID in headers of ID Token for a Refresh Token #3573
Comments
Hi, please upgrade to 2.x as we have done some major reworking in the JWKs logic. Thanks! |
I can confirm a similar experience with JWT access tokens. After performing a key rotation, refresh tokens still use the old |
I'm not sure if I'm following right, but a quick attempt to debug leads me to maybe these places:
When generating an access token with the JWT strategy, it looks like the headers from the existing JWT session get copied over. |
@tilgovi What version of Hydra are you using? |
v2.2.0, the latest release |
The (unreleased) change in ory/fosite#799 ensures that |
I saw that fosite was released and this is now approachable. I'm just not sure about the existing session model and whether to keep |
Preflight checklist
Describe the bug
When requesting a refresh token we are seeing a case where the headers of the included id_token state one KID value, but in reality it is signed by a newer KID. This behavior occurs with refresh tokens that existed before we added a new keyset for "hydra.openid.id-token". I have been trying to parse through the source code, but I think the crux of the issues is KID is saved in the session and when a new keyset is added it is unaware. If this was a bug that you fixed in a newer version that would be great to know as well. I acknowledge that this may be user error on our part, but I can't figure out how it could be.
Reproducing the bug
For us the steps to reproduce are:
Relevant log output
No response
Relevant configuration
No response
Version
1.11.8
On which operating system are you observing this issue?
Linux
In which environment are you deploying?
Docker
Additional Context
No response
The text was updated successfully, but these errors were encountered: