From cf861b1fe6fff95196734e3ac8fce492d5bc77ff Mon Sep 17 00:00:00 2001 From: Juan Mesaglio Date: Sat, 14 Mar 2026 13:17:22 -0300 Subject: [PATCH] fix(token): use public key coordinates for ECDSA JWK thumbprint getRFC7638Thumbprint was using params.Gx/Gy (the curve's generator point, a constant shared by all keys on the same curve) instead of pubkey.X/Y (the actual public key coordinates). This caused every ECDSA key on P-256 to produce the identical kid, breaking the disable_legacy_key_id feature and making key rotation undetectable for affected deployments. --- auth_server/server/config.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/auth_server/server/config.go b/auth_server/server/config.go index 13c610b7..b926e55a 100644 --- a/auth_server/server/config.go +++ b/auth_server/server/config.go @@ -451,8 +451,8 @@ func getRFC7638Thumbprint(publickey crypto.PublicKey) string { case *ecdsa.PublicKey: params := pubkey.Params() crv := params.Name - x := base64.RawURLEncoding.EncodeToString(params.Gx.Bytes()) - y := base64.RawURLEncoding.EncodeToString(params.Gy.Bytes()) + x := base64.RawURLEncoding.EncodeToString(pubkey.X.Bytes()) + y := base64.RawURLEncoding.EncodeToString(pubkey.Y.Bytes()) payload = fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`, crv, x, y) default: