AS: move JWK to the JWT Header field

Due to RFC 7515, JWK should be part of a JOSE Header rather than claim body. Signed-off-by: Xynnn007 <[email protected]>
confidential-containers · Oct 9, 2024 · 8c0cfe5 · 8c0cfe5
1 parent 799884e
commit 8c0cfe5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/attestation-service/src/token/simple.rs b/attestation-service/src/token/simple.rs
@@ -92,6 +92,7 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
         let header_value = json!({
             "typ": "JWT",
             "alg": SIMPLE_TOKEN_ALG,
+            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
         });
         let header_string = serde_json::to_string(&header_value)?;
         let header_b64 = URL_SAFE_NO_PAD.encode(header_string.as_bytes());
@@ -109,7 +110,6 @@ impl AttestationTokenBroker for SimpleAttestationTokenBroker {
             "iss": self.config.issuer_name.clone(),
             "iat": now.unix_timestamp(),
             "jti": id,
-            "jwk": serde_json::from_str::<Value>(&self.pubkey_jwks()?)?["keys"][0].clone(),
             "nbf": now.unix_timestamp(),
             "exp": exp.unix_timestamp(),
         })