fix: use up-to-date kid in JWT header when refreshing

Co-authored-by: Randall Leeds <randall.leeds@nytimes.com>

Author: NilsBarlaug

cypress/helpers/index.js

@@ -98,3 +98,20 @@ const deleteGrant = (id) =>
     "DELETE",
     Cypress.env("admin_url") + "/trust/grants/jwt-bearer/issuers/" + id,
   )
+
+export const validateJwt = (jwt) =>
+  cy
+    .request({
+      method: "POST",
+      url: `${Cypress.env("client_url")}/oauth2/validate-jwt`,
+      form: true,
+      body: { jwt },
+    })
+    .then(({ body }) => body)
+
+export const rotateJwks = (set) =>
+  cy
+    .request("POST", `${Cypress.env("admin_url")}/keys/${set}`, {
+      alg: "RS256",
+    })
+    .then(({ body }) => body)

cypress/integration/oauth2/jwt.js

@@ -1,7 +1,7 @@
 // Copyright © 2022 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { createClient, prng } from "../../helpers"
+import { createClient, prng, validateJwt } from "../../helpers"
 
 const accessTokenStrategies = ["opaque", "jwt"]
 
@@ -44,15 +44,12 @@ describe("OAuth 2.0 JSON Web Token Access Tokens", () => {
               expect(token.refresh_token).to.not.be.empty
               expect(token.access_token.split(".").length).to.equal(3)
               expect(token.refresh_token.split(".").length).to.equal(2)
-            })
 
-          cy.request(`${Cypress.env("client_url")}/oauth2/validate-jwt`)
-            .its("body")
-            .then((body) => {
-              console.log(body)
-              expect(body.sub).to.eq("foo@bar.com")
-              expect(body.client_id).to.eq(client.client_id)
-              expect(body.jti).to.not.be.empty
+              validateJwt(token.access_token).then(({ payload }) => {
+                expect(payload.sub).to.eq("foo@bar.com")
+                expect(payload.client_id).to.eq(client.client_id)
+                expect(payload.jti).to.not.be.empty
+              })
             })
         })
       })

cypress/integration/oauth2/refresh_token.js

@@ -1,7 +1,7 @@
 // Copyright © 2022 Ory Corp
 // SPDX-License-Identifier: Apache-2.0
 
-import { createClient, prng } from "../../helpers"
+import { createClient, prng, rotateJwks, validateJwt } from "../../helpers"
 
 const accessTokenStrategies = ["opaque", "jwt"]
 
@@ -100,6 +100,61 @@ describe("The OAuth 2.0 Refresh Token Grant", function () {
           })
         })
       })
+
+      const validateJwtAndGetKid = (token) =>
+        validateJwt(token).then(({ header }) => header.kid)
+
+      it("should refresh the Access and ID Token with newly rotated keys", function () {
+        if (
+          accessTokenStrategy === "opaque" ||
+          (Cypress.env("jwt_enabled") !== "true" &&
+            !Boolean(Cypress.env("jwt_enabled")))
+        ) {
+          this.skip()
+        }
+
+        const referrer = `${Cypress.env("client_url")}/empty`
+        cy.visit(referrer, {
+          failOnStatusCode: false,
+        })
+
+        createClient({
+          scope: "offline_access openid",
+          redirect_uris: [referrer],
+          grant_types: ["authorization_code", "refresh_token"],
+          response_types: ["code"],
+          token_endpoint_auth_method: "none",
+        }).then((client) => {
+          cy.authCodeFlowBrowser(client, {
+            consent: {
+              scope: ["offline_access", "openid"],
+            },
+            createClient: false,
+          }).then(({ body: tokensBefore }) => {
+            const kidsBefore = {
+              accessToken: validateJwtAndGetKid(tokensBefore.access_token),
+              idToken: validateJwtAndGetKid(tokensBefore.id_token),
+            }
+
+            rotateJwks("hydra.jwt.access-token")
+            rotateJwks("hydra.openid.id-token")
+
+            cy.refreshTokenBrowser(client, tokensBefore.refresh_token).then(
+              ({ body: tokensAfter }) => {
+                const kidsAfter = {
+                  accessToken: validateJwtAndGetKid(tokensAfter.access_token),
+                  idToken: validateJwtAndGetKid(tokensAfter.id_token),
+                }
+
+                expect(kidsAfter.accessToken).to.not.equal(
+                  kidsBefore.accessToken,
+                )
+                expect(kidsAfter.idToken).to.not.equal(kidsBefore.idToken)
+              },
+            )
+          })
+        })
+      })
     })
   })
 })

cypress/support/commands.js

@@ -196,10 +196,9 @@ Cypress.Commands.add(
       })
     }
     if (doCreateClient) {
-      createClient(client).then(run)
-      return
+      return createClient(client).then(run)
     }
-    run(client)
+    return run(client)
   },
 )
 

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=0-description=should_pass_request_if_strategy_passes-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=2-description=should_pass_because_prompt=none_and_max_age_is_less_than_auth_time-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=legacy.json

@@ -18,10 +18,7 @@
           "sid": ""
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },

oauth2/.snapshots/TestAuthCodeWithMockStrategy-strategy=jwt-case=5-description=should_pass_with_prompt=login_when_authentication_time_is_recent-should_call_refresh_token_hook_if_configured-hook=new.json

@@ -17,10 +17,7 @@
           "hooked": "legacy"
         }
       },
-      "headers": {
-        "extra": {
-        }
-      },
+      "headers": null,
       "username": "",
       "subject": "foo"
     },