amichair commented on PR #2744: URL: https://github.com/apache/james-project/pull/2744#issuecomment-2980505030
Regarding DefaultPublicKeyProvider.computeKid - although the kid header is standard, it's value is not. There was no previous implementation so I had to pick something... I went with the standard JWK Thumbprint of the key (RFC 7638) - the calculation is standard, and is commonly used as a kid (though not required). The implementation is self-contained in the class, and tested against an external thumbprint calculator (added a test validating that the results are equal). Should be backwards compatible with any previous JWT that doesn't have a kid because that flow is unaffected. It's also unrelated to the JWKS provider which already had it's kids which have not changed. I didn't test the ED case, since ED keys don't work at all in James afaict, but left that piece of code for completeness and hopefully future-compatibility. So the only thing that can potentially break is if someone is using pem keys (not JWKS) that specify a kid (even though they were not supported in James until now) using a calculation other than the JWK thumbprint one. They will have to generate new tokens, though it's not very likely there are many out there, if at all. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: notifications-unsubscr...@james.apache.org For additional commands, e-mail: notifications-h...@james.apache.org
