Skip to content

Login tokens do not include key ID (kid) in JWT header #46

Open
Open
Login tokens do not include key ID (kid) in JWT header#46
@stanleykc

Description

@stanleykc
stanleykc
opened on Dec 31, 2025

Summary

During security testing, it was discovered that JWT tokens generated during login do not include the kid (key ID) claim in the token header. This makes key rotation more complex and reduces token traceability.

Current Behavior

Tokens generated by the login endpoint have a header like:
```json
{
"alg": "RS256"
}
```

Expected Behavior

Tokens should include the kid of the signing key:
```json
{
"alg": "RS256",
"kid": "e3be37177a7c42bcbadd7cc63715f216"
}
```

Impact

Low: Functional impact is minimal since signature validation works without kid, but:

  • Key rotation becomes harder to implement cleanly
  • Clients cannot easily determine which key to use for verification
  • Makes it harder to identify which key signed a particular token

Technical Details

  • Location: JWT token generation in PrimarySignatureConfiguration / Micronaut JWT Generator
  • Test Reference: SecurityEdgeCasesTest.loginTokens_areValidJwts()
  • Current Implementation: Micronaut's default JWT generator does not include kid

Suggested Fix

Configure Micronaut's JWT generator to include the kid from the signing key configuration. This may involve:

  1. Setting a configuration property for the generator
  2. Or customizing the JWT header generation in PrimarySignatureConfiguration

Related Issues

Labels

  • enhancement
  • security

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions