From 9756094ae2d3a3e45215b053d23d32f8f6005769 Mon Sep 17 00:00:00 2001
From: Naz <nazargargol@gmail.com>
Date: Mon, 23 May 2022 18:45:08 +0800
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fixed=20signing=20key=20mismatch?=
 =?UTF-8?q?ing=20in=20JWT/JWKS?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

refs https://github.com/TryGhost/Team/issues/1640
closes https://github.com/TryGhost/Members/pull/401/
refs https://forum.ghost.org/t/ghost-jwt-question-possible-bug/30210

- Without `keyid` parameter some of the clien libraries were not able to match the signin key to verify JWT
- Missing `keyid` parameter allows to indicate the key used to secure JWS (as per https://www.rfc-editor.org/rfc/rfc7515#section-4.1.4) and resolves the automatic matching issue on the client.
- The `kid` parameter was left in claims to avoid accidental breaking changes.
---
 ghost/members-api/lib/services/token.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ghost/members-api/lib/services/token.js b/ghost/members-api/lib/services/token.js
index 29c4de4063..cc883e481c 100644
--- a/ghost/members-api/lib/services/token.js
+++ b/ghost/members-api/lib/services/token.js
@@ -20,6 +20,7 @@ module.exports = class TokenService {
             sub,
             kid: jwk.kid
         }, this._privateKey, {
+            keyid: jwk.kid,
             algorithm: 'RS512',
             audience: this._issuer,
             expiresIn: '10m',