commit e1e05abcd0c0c637dce9e1d51044fb350f8212c4 · zzstoatzz.io/plyr.fm

zzstoatzz.io / plyr.fm

music on atproto plyr.fm

fix: preserve kid in JWKS endpoint output (#581)

python-jose's to_dict() doesn't include the kid field from the
original JWK. this fix explicitly copies the kid from the input
JWK to the public key output.

the kid is required by ATProto OAuth for key identification when
validating client assertions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

authored by zzstoatzz.io Claude Opus 4.5 and committed by GitHub 4 weeks ago e1e05abc 0b1e5672

options

unified split

Changed files

backend

src

backend

_internal

auth.py

backend/src/backend/_internal/auth.py

··· 142 142 public_jwk["use"] = "sig" 143 143 public_jwk["alg"] = "ES256" 144 144 145 + # preserve kid from original JWK (python-jose's to_dict() doesn't include it) 146 + if "kid" in jwk_data: 147 + public_jwk["kid"] = jwk_data["kid"] 148 + 145 149 return {"keys": [public_jwk]} 146 150 147 151 except Exception as e: