I was working with getting a jwt from ghost to authorize access to a Members-Only enhanced search. From previous posts, etc, the workflow is the user signs in, then we send a GET request to members/api/session, and then submit that JWT. This works fine except…
The JWT provided by Ghost seems to have an error. The kid claim is in the body instead of the header where it is expected. kid is an optional JWS header parameter per RFC
If I’m confused then please let me know but this seems wrong and breaks compatibility with libraries that expect to load the kid from the header to match to the JWKS that Ghost publishes.
Wanted to note that based on a quick glance into the python lib to process signing keys, it looks like it wasn’t able to find the correct key as the use: "sig" was missing from the payload. I’ve added both the use property in the response body and the kid header to make sure more clients have easy time working with the endpoint. Can you please verify it works for you?
Unfortunately this is not a solution. The modifications in the link alter /ghost/.well-known/jwks.json but I was specifically working with /members/.well-known/jwks.json. I did try your branch and could verify that the changes altered the ghost path jwks.json.
The core problem is the actual JWT (not the JWKS) is missing the kid.