This is in relation to RFC7523 and the PrivateKeyJWT and ClientSecretJWT classes' sign method. Each class can be initialised with a headers dictionary. In ClientSecretJWT, the self.headers is passed to client_secret_jwt_sign as a kwparam called headers. PrivateKeyJWT doesn't actually pass the headers through to private_key_jwt_sign at all, but should (that's the first problem). This allows people to set things like the kid on the JWT header.
The second problem is that the sign_jwt_bearer_assertion expects a kwarg called header and not headers. At the moment, the headers from ClientSecretJWT.sign() appear to be ignored.
In summary, two issues:
PrivateKeyJWT should pass the self.headers into the private_key_jwt_sign call.
Both ClientSecretJWT and PrivateKeyJWT should pass header=self.headers in the calls to client_secret_jwt_sign and private_key_jwt_sign respectively.
I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.
Error Stacks
None
Expected behaviour
I would expect the headers to be passed through and included in the JWT.
Environment:
OS: Ubuntu 22.04 (but not relevant here)
Python Version: 3.10.7 (but not relevant here)
Authlib Version: latest from master (commit cadc55d15e4d15fc1407dc2187fea0208d8b520c)
Additional context
This is being used to implement a flask application that used OIDC Connect with private_key_jwt.
Describe the bug
This is in relation to RFC7523 and the
PrivateKeyJWT
andClientSecretJWT
classes'sign
method. Each class can be initialised with aheaders
dictionary. InClientSecretJWT
, theself.headers
is passed toclient_secret_jwt_sign
as a kwparam calledheaders
.PrivateKeyJWT
doesn't actually pass the headers through toprivate_key_jwt_sign
at all, but should (that's the first problem). This allows people to set things like thekid
on the JWT header.The second problem is that the
sign_jwt_bearer_assertion
expects a kwarg calledheader
and notheaders
. At the moment, theheaders
fromClientSecretJWT.sign()
appear to be ignored.In summary, two issues:
self.headers
into theprivate_key_jwt_sign
call.header=self.headers
in the calls toclient_secret_jwt_sign
andprivate_key_jwt_sign
respectively.I can create a PR, but I can't see any existing tests for the RFC7353 code in the codebase that I can enhance. Any guidance would be greatly appreciated.
Error Stacks
None
Expected behaviour
I would expect the headers to be passed through and included in the JWT.
Environment:
Additional context
This is being used to implement a flask application that used OIDC Connect with
private_key_jwt
.