fix: use up-to-date kid in JWT header when refreshing

Co-authored-by: Randall Leeds <[email protected]>

Author: NilsBarlaug

cypress/helpers/index.js

@@ -98,3 +98,20 @@ const deleteGrant = (id) =>
     "DELETE",
     Cypress.env("admin_url") + "/trust/grants/jwt-bearer/issuers/" + id,
   )
+
+export const validateJwt = (jwt) =>
+  cy
+    .request({
+      method: "POST",
+      url: `${Cypress.env("client_url")}/oauth2/validate-jwt`,
+      form: true,
+      body: { jwt },
+    })
+    .then(({ body }) => body)
+
+export const rotateJwks = (set) =>
+  cy
+    .request("POST", `${Cypress.env("admin_url")}/keys/${set}`, {
+      alg: "RS256",
+    })
+    .then(({ body }) => body)

cypress/integration/oauth2/jwt.js

@@ -1,7 +1,7 @@
 // Copyright © 2022 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { createClient, prng } from "../../helpers"
+import { createClient, prng, validateJwt } from "../../helpers"
 
 const accessTokenStrategies = ["opaque", "jwt"]
 
@@ -44,15 +44,12 @@ describe("OAuth 2.0 JSON Web Token Access Tokens", () => {
               expect(token.refresh_token).to.not.be.empty
               expect(token.access_token.split(".").length).to.equal(3)
               expect(token.refresh_token.split(".").length).to.equal(2)
-            })
 
-          cy.request(`${Cypress.env("client_url")}/oauth2/validate-jwt`)
-            .its("body")
-            .then((body) => {
-              console.log(body)
-              expect(body.sub).to.eq("[email protected]")
-              expect(body.client_id).to.eq(client.client_id)
-              expect(body.jti).to.not.be.empty
+              validateJwt(token.access_token).then(({ payload }) => {
+                expect(payload.sub).to.eq("[email protected]")
+                expect(payload.client_id).to.eq(client.client_id)
+                expect(payload.jti).to.not.be.empty
+              })
             })
         })
       })

cypress/integration/oauth2/refresh_token.js

@@ -1,7 +1,7 @@
 // Copyright © 2022 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { createClient, prng } from "../../helpers"
+import { createClient, prng, rotateJwks, validateJwt } from "../../helpers"
 
 const accessTokenStrategies = ["opaque", "jwt"]
 
@@ -100,6 +100,61 @@ describe("The OAuth 2.0 Refresh Token Grant", function () {
           })
         })
       })
+
+      const validateJwtAndGetKid = (token) =>
+        validateJwt(token).then(({ header }) => header.kid)
+
+      it("should refresh the Access and ID Token with newly rotated keys", function () {
+        if (
+          accessTokenStrategy === "opaque" ||
+          (Cypress.env("jwt_enabled") !== "true" &&
+            !Boolean(Cypress.env("jwt_enabled")))
+        ) {
+          this.skip()
+        }
+
+        const referrer = `${Cypress.env("client_url")}/empty`
+        cy.visit(referrer, {
+          failOnStatusCode: false,
+        })
+
+        createClient({
+          scope: "offline_access openid",
+          redirect_uris: [referrer],
+          grant_types: ["authorization_code", "refresh_token"],
+          response_types: ["code"],
+          token_endpoint_auth_method: "none",
+        }).then((client) => {
+          cy.authCodeFlowBrowser(client, {
+            consent: {
+              scope: ["offline_access", "openid"],
+            },
+            createClient: false,
+          }).then(({ body: tokensBefore }) => {
+            const kidsBefore = {
+              accessToken: validateJwtAndGetKid(tokensBefore.access_token),
+              idToken: validateJwtAndGetKid(tokensBefore.id_token),
+            }
+
+            rotateJwks("hydra.jwt.access-token")
+            rotateJwks("hydra.openid.id-token")
+
+            cy.refreshTokenBrowser(client, tokensBefore.refresh_token).then(
+              ({ body: tokensAfter }) => {
+                const kidsAfter = {
+                  accessToken: validateJwtAndGetKid(tokensAfter.access_token),
+                  idToken: validateJwtAndGetKid(tokensAfter.id_token),
+                }
+
+                expect(kidsAfter.accessToken).to.not.equal(
+                  kidsBefore.accessToken,
+                )
+                expect(kidsAfter.idToken).to.not.equal(kidsBefore.idToken)
+              },
+            )
+          })
+        })
+      })
     })
   })
 })

cypress/support/commands.js

@@ -196,10 +196,9 @@ Cypress.Commands.add(
       })
     }
     if (doCreateClient) {
-      createClient(client).then(run)
-      return
+      return createClient(client).then(run)
     }
-    run(client)
+    return run(client)
   },
 )
 

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=opaque-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestUnmarshalSession-v1.11.8.json

@@ -35,7 +35,6 @@
     "subject": "[email protected]"
   },
   "extra": {},
-  "kid": "public:hydra.jwt.access-token",
   "client_id": "auth-code-client",
   "consent_challenge": "2261efbd447044a1b2f76b05c6aca164",
   "exclude_not_before_claim": false,

oauth2/.snapshots/TestUnmarshalSession-v1.11.9.json

@@ -35,7 +35,6 @@
     "subject": "[email protected]"
   },
   "extra": {},
-  "kid": "public:hydra.jwt.access-token",
   "client_id": "auth-code-client",
   "consent_challenge": "2261efbd447044a1b2f76b05c6aca164",
   "exclude_not_before_claim": false,

oauth2/handler.go

@@ -701,15 +701,7 @@ func (h *Handler) getOidcUserInfo(w http.ResponseWriter, r *http.Request) {
 		interim["jti"] = uuid.New()
 		interim["iat"] = time.Now().Unix()
 
-		keyID, err := h.r.OpenIDJWTStrategy().GetPublicKeyID(ctx)
-		if err != nil {
-			h.r.Writer().WriteError(w, r, err)
-			return
-		}
-
-		token, _, err := h.r.OpenIDJWTStrategy().Generate(ctx, interim, &jwt.Headers{
-			Extra: map[string]interface{}{"kid": keyID},
-		})
+		token, _, err := h.r.OpenIDJWTStrategy().Generate(ctx, interim, &jwt.Headers{})
 		if err != nil {
 			h.r.Writer().WriteError(w, r, err)
 			return
@@ -1179,17 +1171,6 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) {
 	if accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeClientCredentials)) ||
 		accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeJWTBearer)) ||
 		accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypePassword)) {
-		var accessTokenKeyID string
-		if h.c.AccessTokenStrategy(ctx, client.AccessTokenStrategySource(accessRequest.GetClient())) == "jwt" {
-			accessTokenKeyID, err = h.r.AccessTokenJWTStrategy().GetPublicKeyID(ctx)
-			if err != nil {
-				h.logOrAudit(err, r)
-				h.r.OAuth2Provider().WriteAccessError(ctx, w, accessRequest, err)
-				events.Trace(ctx, events.TokenExchangeError, events.WithRequest(accessRequest))
-				return
-			}
-		}
-
 		// only for client_credentials, otherwise Authentication is included in session
 		if accessRequest.GetGrantTypes().ExactOne(string(fosite.GrantTypeClientCredentials)) {
 			session.Subject = accessRequest.GetClient().GetID()
@@ -1207,7 +1188,6 @@ func (h *Handler) oauth2TokenExchange(w http.ResponseWriter, r *http.Request) {
 			}
 		}
 		session.ClientID = accessRequest.GetClient().GetID()
-		session.KID = accessTokenKeyID
 		session.DefaultSession.Claims.Issuer = h.c.IssuerURL(ctx).String()
 		session.DefaultSession.Claims.IssuedAt = time.Now().UTC()
 
@@ -1399,21 +1379,6 @@ func (h *Handler) updateSessionWithRequest(
 		request.GrantAudience(audience)
 	}
 
-	openIDKeyID, err := h.r.OpenIDJWTStrategy().GetPublicKeyID(ctx)
-	if err != nil {
-		x.LogError(r, err, h.r.Logger())
-		return nil, err
-	}
-
-	var accessTokenKeyID string
-	if h.c.AccessTokenStrategy(ctx, client.AccessTokenStrategySource(request.GetClient())) == "jwt" {
-		accessTokenKeyID, err = h.r.AccessTokenJWTStrategy().GetPublicKeyID(ctx)
-		if err != nil {
-			x.LogError(r, err, h.r.Logger())
-			return nil, err
-		}
-	}
-
 	obfuscatedSubject, err := h.r.ConsentStrategy().ObfuscateSubjectIdentifier(ctx, request.GetClient(), consent.ConsentRequest.Subject, consent.ConsentRequest.ForceSubjectIdentifier)
 	if e := &(fosite.RFC6749Error{}); errors.As(err, &e) {
 		x.LogAudit(r, err, h.r.AuditLogger())
@@ -1451,13 +1416,8 @@ func (h *Handler) updateSessionWithRequest(
 		session.DefaultSession = &openid.DefaultSession{}
 	}
 	session.DefaultSession.Claims = claims
-	session.DefaultSession.Headers = &jwt.Headers{Extra: map[string]interface{}{
-		// required for lookup on jwk endpoint
-		"kid": openIDKeyID,
-	}}
 	session.DefaultSession.Subject = consent.ConsentRequest.Subject
 	session.Extra = consent.Session.AccessToken
-	session.KID = accessTokenKeyID
 	session.ClientID = request.GetClient().GetID()
 	session.ConsentChallenge = consent.ConsentRequestID
 	session.ExcludeNotBeforeClaim = h.c.ExcludeNotBeforeClaim(ctx)
@@ -1618,13 +1578,7 @@ func (h *Handler) createVerifiableCredential(w http.ResponseWriter, r *http.Requ
 		}
 	}
 
-	signingKeyID, err := h.r.OpenIDJWTStrategy().GetPublicKeyID(ctx)
-	if err != nil {
-		h.r.Writer().WriteError(w, r, errorsx.WithStack(err))
-		return
-	}
 	headers := jwt.NewHeaders()
-	headers.Add("kid", signingKeyID)
 	mapClaims, err := vcClaims.ToMapClaims()
 	if err != nil {
 		h.r.Writer().WriteError(w, r, errorsx.WithStack(err))