JWT with random kid CAS 6.6.0

[Michele Andreoli]

Hi,

my current version of CAS is 6.6.0.

I'm using JWT with CAS and I set these configs:

cas.authn.token.crypto.enabled=true

cas.authn.token.crypto.encryptionEnabled=true

cas.authn.token.crypto.signingEnabled=true

cas.authn.token.crypto.alg=A256CBC-HS512

cas.authn.token.crypto.signing.key=***

cas.authn.token.crypto.signing.keySize=512

cas.authn.token.crypto.encryption.key=***

cas.authn.token.crypto.encryption.keySize=512

When I do login ona a specific service, CAS generates a valid JWT, but in the header it puts a random "kid" each time:

{
  "alg": "HS512",
  "typ": "JWT",
  "kid": "56179e82-c6cb-4661-a181-aa2a6fb8b3c7"
}

So I can't validate this JWT with a jwk url, because the "kid" change each time. Is there a way to generate a static "kid"? I'm missing some configurations?

With CAS 6.5.2 the "kid" isn't generate at all with the same configuration.

[Michele Andreoli]

I have investigated about this problem and in CAS 6.6.x was introduced a new class called JsonWebTokenSigner.java. 

In this class there is a constant variable (Line 38):

@Builder.Default
private final String keyId = UUID.randomUUID().toString();

used during jwt signing (Line 87):

jws.setKeyIdHeaderValue(this.keyId);

So, every time you request a new jwt token, this id change over the time and there is no way for a jwk url to get the corresponding key and verify this token.

I don't find any configuration for set this variable, I think it's a bug.