From 3508b5282bd3c4d55404fb9c65b7733f8047fd91 Mon Sep 17 00:00:00 2001
From: Xynnn007 <xynnn@linux.alibaba.com>
Date: Wed, 9 Oct 2024 12:09:51 +0800
Subject: [PATCH] AS: move JWK to the JWT Header field

Due to RFC 7515, JWK should be part of a JOSE Header rather than claim
body.

Signed-off-by: Xynnn007 <xynnn@linux.alibaba.com>
---
 attestation-service/src/token/simple.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs
index 20c1d9652..23281c323 100644
--- a/attestation-service/src/token/simple.rs
+++ b/attestation-service/src/token/simple.rs
@@ -92,6 +92,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
         let header_value = json!({
             "typ": "JWT",
             "alg": SIMPLE_TOKEN_ALG,
+            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
         });
         let header_string = serde_json::to_string(&header_value)?;
         let header_b64 = URL_SAFE_NO_PAD.encode(header_string.as_bytes());
@@ -109,7 +110,6 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
             "iss": self.config.issuer_name.clone(),
             "iat": now.unix_timestamp(),
             "jti": id,
-            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
             "nbf": now.unix_timestamp(),
             "exp": exp.unix_timestamp(),
         })