Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong KID in headers of ID Token for a Refresh Token #3573

Open
3 of 6 tasks
jvisker opened this issue Jul 13, 2023 · 7 comments
Open
3 of 6 tasks

Wrong KID in headers of ID Token for a Refresh Token #3573

jvisker opened this issue Jul 13, 2023 · 7 comments
Labels
bug Something is not working.

Comments

@jvisker
Copy link

jvisker commented Jul 13, 2023

Preflight checklist

Describe the bug

When requesting a refresh token we are seeing a case where the headers of the included id_token state one KID value, but in reality it is signed by a newer KID. This behavior occurs with refresh tokens that existed before we added a new keyset for "hydra.openid.id-token". I have been trying to parse through the source code, but I think the crux of the issues is KID is saved in the session and when a new keyset is added it is unaware. If this was a bug that you fixed in a newer version that would be great to know as well. I acknowledge that this may be user error on our part, but I can't figure out how it could be.

Reproducing the bug

For us the steps to reproduce are:

  1. Go through an authcode flow and log in process that gives back an refresh token and id token
  2. Add a new keyset for “hydra.openid.id-token”
  3. Use the refresh token to get a new access token and id token
  4. Inspect the id token and validate that the KID and signature do not work together

Relevant log output

No response

Relevant configuration

No response

Version

1.11.8

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker

Additional Context

No response

@jvisker jvisker added the bug Something is not working. label Jul 13, 2023
@aeneasr
Copy link
Member

aeneasr commented Jul 14, 2023

Hi, please upgrade to 2.x as we have done some major reworking in the JWKs logic. Thanks!

@tilgovi
Copy link

tilgovi commented Aug 23, 2024

I can confirm a similar experience with JWT access tokens. After performing a key rotation, refresh tokens still use the old kid but are signed by the new key.

@tilgovi
Copy link

tilgovi commented Aug 23, 2024

I'm not sure if I'm following right, but a quick attempt to debug leads me to maybe these places:

When generating an access token with the JWT strategy, it looks like the headers from the existing JWT session get copied over.

@terev
Copy link
Contributor

terev commented Aug 24, 2024

@tilgovi What version of Hydra are you using?

@tilgovi
Copy link

tilgovi commented Aug 24, 2024

v2.2.0, the latest release

@tilgovi
Copy link

tilgovi commented Oct 7, 2024

The (unreleased) change in ory/fosite#799 ensures that kid is set based on whatever key is used at the time signing is done, but it's still overwritten by the kid being passed as explicit extra headers. Removing KID from Session in Hydra fixes this issue. I don't know if that's a breaking change or not, but if it's possible to make a release of Fosite then I'll open a PR here to upgrade and remove the superfluous code in Hydra and we can discuss in the PR what it might take to merge that.

@tilgovi
Copy link

tilgovi commented Jan 22, 2025

I saw that fosite was released and this is now approachable. I'm just not sure about the existing session model and whether to keep KID in it or not. It's easy to remove the kid from the header here and then tokens issued for refresh grants have proper kids even after a key rotation. But I'm not sure about the fact that the KID that's part of the Session is set in the handler outside of transaction, and extracted from the current token. The easiest thing would be to delete KID everywhere and not worry about it, but maybe some customers depend on seeing the KID in the session data in a refresh hook? I'm not sure where all it shows up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something is not working.
Projects
None yet
Development

No branches or pull requests

4 participants