I have investigated about this problem and in *CAS 6.6.x* was introduced a new class called JsonWebTokenSigner.java <https://github.com/apereo/cas/blob/6.6.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/jwt/JsonWebTokenSigner.java#L38> .
In this class there is a constant variable (Line 38 <https://github.com/apereo/cas/blob/6.6.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/jwt/JsonWebTokenSigner.java#L38> ): @Builder.Default private final String keyId = UUID.randomUUID().toString(); used during jwt signing (Line 87 <https://github.com/apereo/cas/blob/6.6.x/core/cas-server-core-util-api/src/main/java/org/apereo/cas/util/jwt/JsonWebTokenSigner.java#L87> ): jws.setKeyIdHeaderValue(this.keyId); So, every time you request a new jwt token, this id change over the time and there is no way for a jwk url to get the corresponding key and verify this token. I don't find any configuration for set this variable, I think it's a bug. Il giorno giovedì 6 ottobre 2022 alle 09:11:54 UTC+2 Michele Andreoli ha scritto: > Hi, > > my current version of CAS is 6.6.0. > > I'm using JWT with CAS and I set these configs: > cas.authn.token.crypto.enabled=true > cas.authn.token.crypto.encryptionEnabled=true > cas.authn.token.crypto.signingEnabled=true > cas.authn.token.crypto.alg=A256CBC-HS512 > cas.authn.token.crypto.signing.key=*** > cas.authn.token.crypto.signing.keySize=512 > cas.authn.token.crypto.encryption.key=*** > cas.authn.token.crypto.encryption.keySize=512 > > When I do login ona a specific service, CAS generates a valid JWT, but in > the header it puts a random "kid" each time: > { > "alg": "HS512", > "typ": "JWT", > *"kid": "56179e82-c6cb-4661-a181-aa2a6fb8b3c7"* > } > > So I can't validate this JWT with a jwk url, because the "kid" change each > time. Is there a way to generate a static "kid"? I'm missing some > configurations? > > With CAS 6.5.2 the "kid" isn't generate at all with the same configuration. > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/323bc7a8-d52d-405d-8149-3b0d75443507n%40apereo.org.
