Merge pull request #1644 from fh1ch/clarify-kid-format

Clarify kid format for JWT token auth in docs
2016-04-25 17:01:15 -07:00 · 2016-04-25 17:01:15 -07:00 · 47d14555c0
parent d654cfd985 17756eb43e
commit 47d14555c0
1 changed files with 11 additions and 2 deletions
--- a/docs/spec/auth/jwt.md
+++ b/docs/spec/auth/jwt.md
@ -69,8 +69,17 @@ Token has 3 main parts:

    The header of a JSON Web Token is a standard JOSE header. The "typ" field
    will be "JWT" and it will also contain the "alg" which identifies the
-    signing algorithm used to produce the signature. It will also usually have
-    a "kid" field, the ID of the key which was used to sign the token.
+    signing algorithm used to produce the signature. It also must have a "kid"
+    field, representing the ID of the key which was used to sign the token.
+
+    The "kid" field has to be in a libtrust fingerprint compatible format.
+    Such a format can be generated by following steps:
+
+    1.  Take the DER encoded public key which the JWT token was signed against.
+
+    2.  Create a SHA256 hash out of it and truncate to 240bits.
+
+    3.  Split the result into 12 base32 encoded groups with `:` as delimiter.

    Here is an example JOSE Header for a JSON Web Token (formatted with
    whitespace for readability):