fix: set 'kid' JWT header from JWK whenever it is available

OKTA-386883 <<<Jenkins Check-In of Tested SHA: 9a1673a for eng_productivity_ci_bot_okta@okta.com>>> Artifact: okta-sdk-nodejs Files changed count: 5 PR Link: "#247"
okta · May 13, 2021 · 3c84738 · 3c84738
1 parent 23eccd8
commit 3c84738
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Okta Node SDK Changelog
 
+## 4.6.0
+
+### Features
+
+- [#237](https://github.com/okta/okta-sdk-nodejs/pull/237) Exposes models and type declarations through library root
+
+### Bug Fixes
+
+- [#247](https://github.com/okta/okta-sdk-nodejs/pull/247) Fixes OAuth flow error for apps using multiple JWKs
+
 ## 4.5.0
 
 ### Features

diff --git a/README.md b/README.md
@@ -59,6 +59,7 @@ The `privateKey` can be passed in the following ways:
 - A string in PEM format
 - As a JSON object, in JWK format
 
+> Note: in case OAuth client app uses multiple JWKs, `privateKey` should specify `kid` attribute.
 
 ## Table of Contents
 

diff --git a/src/jwt.js b/src/jwt.js
@@ -61,7 +61,9 @@ function makeJwt(client, endpoint) {
         .setExpiration(plus5Minutes)
         .setIssuer(client.clientId)
         .setSubject(client.clientId);
-
+      if (jwk.kid) {
+        jwt = jwt.setHeader('kid', jwk.kid);
+      }
       // JWT object is returned. It needs to be compacted with jwt.compact() before it can be used
       return jwt;
     });

diff --git a/test/jest/.eslintrc b/test/jest/.eslintrc
@@ -1,4 +1,7 @@
 {
+  "parserOptions": {
+    "ecmaVersion": 9
+  },
   "globals": {
     "jest/globals": true
   },

diff --git a/test/jest/jwt.test.js b/test/jest/jwt.test.js
@@ -95,5 +95,36 @@ describe('JWT', () => {
           return verifyJWT(jwt, endpoint);
         });
     });
+    it('sets JWK\'s \'kid\' value into JWT header', () => {
+      client.privateKey = {
+        ...JWK,
+        kid: 'keyId'
+      };
+      const endpoint = '/oauth2/v1/token';
+      return JWT.makeJwt(client, endpoint)
+        .then(jwt => {
+          return Promise.resolve().then(() => {
+            expect(jwt.header).toEqual({
+              alg: 'RS256',
+              kid: 'keyId',
+              typ: 'JWT'
+            });
+          });
+        });
+    });
+
+    it('does not set \'kid\' JWT header if \'kid\' was not specified in JWK', () => {
+      client.privateKey = JWK;
+      const endpoint = '/oauth2/v1/token';
+      return JWT.makeJwt(client, endpoint)
+        .then(jwt => {
+          return Promise.resolve().then(() => {
+            expect(jwt.header).toEqual({
+              alg: 'RS256',
+              typ: 'JWT'
+            });
+          });
+        });
+    });
   });
 });