From 3c8473865e6ac4b687dfabf32d7df9e06b34082e Mon Sep 17 00:00:00 2001
From: Oleksandr Pravosudko <oleksandr.pravosudko@okta.com>
Date: Thu, 13 May 2021 13:38:24 +0000
Subject: [PATCH] fix: set 'kid' JWT header from JWK whenever it is available

OKTA-386883
<<<Jenkins Check-In of Tested SHA: 9a1673ae40513fcb39e66943ffcd66304fd4663b for eng_productivity_ci_bot_okta@okta.com>>>
Artifact: okta-sdk-nodejs
Files changed count: 5
PR Link: "https://github.com/okta/okta-sdk-nodejs/pull/247"
---
 CHANGELOG.md          | 10 ++++++++++
 README.md             |  1 +
 src/jwt.js            |  4 +++-
 test/jest/.eslintrc   |  3 +++
 test/jest/jwt.test.js | 31 +++++++++++++++++++++++++++++++
 5 files changed, 48 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8e66097d3..38331b2a7 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,15 @@
 # Okta Node SDK Changelog
 
+## 4.6.0
+
+### Features
+
+- [#237](https://github.com/okta/okta-sdk-nodejs/pull/237) Exposes models and type declarations through library root
+
+### Bug Fixes
+
+- [#247](https://github.com/okta/okta-sdk-nodejs/pull/247) Fixes OAuth flow error for apps using multiple JWKs
+
 ## 4.5.0
 
 ### Features
diff --git a/README.md b/README.md
index e0e344aff..bd8d0ed53 100644
--- a/README.md
+++ b/README.md
@@ -59,6 +59,7 @@ The `privateKey` can be passed in the following ways:
 - A string in PEM format
 - As a JSON object, in JWK format
 
+> Note: in case OAuth client app uses multiple JWKs, `privateKey` should specify `kid` attribute.
 
 ## Table of Contents
 
diff --git a/src/jwt.js b/src/jwt.js
index c5f520411..10c4c2a1a 100644
--- a/src/jwt.js
+++ b/src/jwt.js
@@ -61,7 +61,9 @@ function makeJwt(client, endpoint) {
         .setExpiration(plus5Minutes)
         .setIssuer(client.clientId)
         .setSubject(client.clientId);
-
+      if (jwk.kid) {
+        jwt = jwt.setHeader('kid', jwk.kid);
+      }
       // JWT object is returned. It needs to be compacted with jwt.compact() before it can be used
       return jwt;
     });
diff --git a/test/jest/.eslintrc b/test/jest/.eslintrc
index 119caf354..424f97b83 100644
--- a/test/jest/.eslintrc
+++ b/test/jest/.eslintrc
@@ -1,4 +1,7 @@
 {
+  "parserOptions": {
+    "ecmaVersion": 9
+  },
   "globals": {
     "jest/globals": true
   },
diff --git a/test/jest/jwt.test.js b/test/jest/jwt.test.js
index 02b4a0581..a9fdf62d7 100644
--- a/test/jest/jwt.test.js
+++ b/test/jest/jwt.test.js
@@ -95,5 +95,36 @@ describe('JWT', () => {
           return verifyJWT(jwt, endpoint);
         });
     });
+    it('sets JWK\'s \'kid\' value into JWT header', () => {
+      client.privateKey = {
+        ...JWK,
+        kid: 'keyId'
+      };
+      const endpoint = '/oauth2/v1/token';
+      return JWT.makeJwt(client, endpoint)
+        .then(jwt => {
+          return Promise.resolve().then(() => {
+            expect(jwt.header).toEqual({
+              alg: 'RS256',
+              kid: 'keyId',
+              typ: 'JWT'
+            });
+          });
+        });
+    });
+
+    it('does not set \'kid\' JWT header if \'kid\' was not specified in JWK', () => {
+      client.privateKey = JWK;
+      const endpoint = '/oauth2/v1/token';
+      return JWT.makeJwt(client, endpoint)
+        .then(jwt => {
+          return Promise.resolve().then(() => {
+            expect(jwt.header).toEqual({
+              alg: 'RS256',
+              typ: 'JWT'
+            });
+          });
+        });
+    });
   });
 });