Add support for x5t#S256 key identification

krakend · Feb 24, 2025 · 655de8a · 655de8a
1 parent 94add37
commit 655de8a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 9 deletions.
diff --git a/jwk_client.go b/jwk_client.go
@@ -38,6 +38,15 @@ func X5TTokenKeyIDGetter(token *jwt.JSONWebToken) string {
 	return x5t
 }
 
+// X5TS256TokenKeyIDGetter extracts the key id from the jSONWebToken as the x5t#S256
+func X5TS256TokenKeyIDGetter(token *jwt.JSONWebToken) string {
+	x5t, ok := token.Headers[0].ExtraHeaders["x5t#S256"].(string)
+	if !ok {
+		return token.Headers[0].KeyID
+	}
+	return x5t
+}
+
 // CompoundX5TTokenKeyIDGetter extracts the key id from the jSONWebToken as a compound string of the kid and x5t
 func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string {
 	return token.Headers[0].KeyID + X5TTokenKeyIDGetter(token)
@@ -46,9 +55,10 @@ func CompoundX5TTokenKeyIDGetter(token *jwt.JSONWebToken) string {
 // TokenIDGetterFactory returns the TokenIDGetter from the keyIdentifyStrategy configuration string
 func TokenIDGetterFactory(keyIdentifyStrategy string) TokenIDGetter {
 	supportedKeyIdentifyStrategy := map[string]TokenKeyIDGetterFunc{
-		"kid":     DefaultTokenKeyIDGetter,
-		"x5t":     X5TTokenKeyIDGetter,
-		"kid_x5t": CompoundX5TTokenKeyIDGetter,
+		"kid":      DefaultTokenKeyIDGetter,
+		"x5t":      X5TTokenKeyIDGetter,
+		"x5t#S256": X5TS256TokenKeyIDGetter,
+		"kid_x5t":  CompoundX5TTokenKeyIDGetter,
 	}
 
 	if tokenGetter, ok := supportedKeyIdentifyStrategy[keyIdentifyStrategy]; ok {

diff --git a/key_cacher.go b/key_cacher.go
@@ -37,9 +37,10 @@ func SetGlobalCacher(l logging.Logger, cfg config.ExtraConfig) error {
 	duration := time.Duration(scfg.CacheDuration) * time.Second
 	globalKeyCacherOnce.Do(func() {
 		globalKeyCacher = map[string]GlobalCacher{
-			"kid":     {kc: NewMemoryKeyCacher(duration, -1, "kid"), mu: new(sync.RWMutex)},
-			"x5t":     {kc: NewMemoryKeyCacher(duration, -1, "x5t"), mu: new(sync.RWMutex)},
-			"kid_x5t": {kc: NewMemoryKeyCacher(duration, -1, "kid_x5t"), mu: new(sync.RWMutex)},
+			"kid":      {kc: NewMemoryKeyCacher(duration, -1, "kid"), mu: new(sync.RWMutex)},
+			"x5t":      {kc: NewMemoryKeyCacher(duration, -1, "x5t"), mu: new(sync.RWMutex)},
+			"x5t#S256": {kc: NewMemoryKeyCacher(duration, -1, "x5t#S256"), mu: new(sync.RWMutex)},
+			"kid_x5t":  {kc: NewMemoryKeyCacher(duration, -1, "kid_x5t"), mu: new(sync.RWMutex)},
 		}
 	})
 	return nil
@@ -92,16 +93,22 @@ func X5TKeyIDGetter(key *jose.JSONWebKey) string {
 	return b64.RawURLEncoding.EncodeToString(key.CertificateThumbprintSHA1)
 }
 
+// X5TS256KeyIDGetter extracts the key id from the jSONWebKey as the x5t#S256
+func X5TS256KeyIDGetter(key *jose.JSONWebKey) string {
+	return b64.RawURLEncoding.EncodeToString(key.CertificateThumbprintSHA256)
+}
+
 // CompoundX5TKeyIDGetter extracts the key id from the jSONWebKey as the a compound string of the kid and the x5t
 func CompoundX5TKeyIDGetter(key *jose.JSONWebKey) string {
 	return key.KeyID + X5TKeyIDGetter(key)
 }
 
 func KeyIDGetterFactory(keyIdentifyStrategy string) KeyIDGetter {
 	supportedKeyIdentifyStrategy := map[string]KeyIDGetterFunc{
-		"kid":     DefaultKeyIDGetter,
-		"x5t":     X5TKeyIDGetter,
-		"kid_x5t": CompoundX5TKeyIDGetter,
+		"kid":      DefaultKeyIDGetter,
+		"x5t":      X5TKeyIDGetter,
+		"x5t#S256": X5TS256KeyIDGetter,
+		"kid_x5t":  CompoundX5TKeyIDGetter,
 	}
 
 	if keyGetter, ok := supportedKeyIdentifyStrategy[keyIdentifyStrategy]; ok {