Login tokens do not include key ID (kid) in JWT header #46
Description
Summary
During security testing, it was discovered that JWT tokens generated during login do not include the kid (key ID) claim in the token header. This makes key rotation more complex and reduces token traceability.
Current Behavior
Tokens generated by the login endpoint have a header like:
```json
{
"alg": "RS256"
}
```
Expected Behavior
Tokens should include the kid of the signing key:
```json
{
"alg": "RS256",
"kid": "e3be37177a7c42bcbadd7cc63715f216"
}
```
Impact
Low: Functional impact is minimal since signature validation works without kid, but:
- Key rotation becomes harder to implement cleanly
- Clients cannot easily determine which key to use for verification
- Makes it harder to identify which key signed a particular token
Technical Details
- Location: JWT token generation in
PrimarySignatureConfiguration/ Micronaut JWT Generator - Test Reference:
SecurityEdgeCasesTest.loginTokens_areValidJwts() - Current Implementation: Micronaut's default JWT generator does not include
kid
Suggested Fix
Configure Micronaut's JWT generator to include the kid from the signing key configuration. This may involve:
- Setting a configuration property for the generator
- Or customizing the JWT header generation in
PrimarySignatureConfiguration
Related Issues
- JWT key ID (kid) validation does not enforce matching key #45 (JWT key ID validation)
Labels
- enhancement
- security