docs(changeset): feat: add kid to the JwtSigner interface

TimoGlastra · TimoGlastra · commit d9b81188309b · 2025-05-11T13:59:18.000+02:00
Signed-off-by: Timo Glastra &lt;timo@animo.id&gt;
diff --git a/.changeset/three-clouds-return.md b/.changeset/three-clouds-return.md
@@ -0,0 +1,5 @@
+---
+"@openid4vc/oauth2": patch
+---
+
+feat: add `kid` to the JwtSigner interface
diff --git a/packages/oauth2/src/common/jwt/decode-jwt.ts b/packages/oauth2/src/common/jwt/decode-jwt.ts
@@ -124,6 +124,7 @@ export function jwtSignerFromJwt({
         alg: header.alg,
         method: 'x5c',
         x5c: header.x5c,
+        kid: header.kid,
       },
     })
   }
@@ -208,6 +209,7 @@ export function jwtSignerFromJwt({
     return {
       method: 'custom',
       alg: header.alg,
+      kid: header.kid,
     }
   }
 
diff --git a/packages/oauth2/src/common/jwt/z-jwt.ts b/packages/oauth2/src/common/jwt/z-jwt.ts
@@ -7,31 +7,62 @@ export type JwtSignerDid = {
   method: 'did'
   didUrl: string
   alg: string
+
+  /**
+   * The key id that should be used for signing. You need to make sure the kid actuall matches
+   * with the key associated with the didUrl.
+   */
+  kid?: string
 }
 
 export type JwtSignerJwk = {
   method: 'jwk'
   publicJwk: Jwk
   alg: string
+
+  /**
+   * The key id that should be used for signing. You need to make sure the kid actuall matches
+   * with the key associated with the jwk.
+   *
+   * If not provided the kid can also be extracted from the `publicJwk`. Providing it here means the `kid` won't
+   * be included in the JWT header.
+   */
+  kid?: string
 }
 
 export type JwtSignerX5c = {
   method: 'x5c'
   x5c: string[]
   alg: string
+
+  /**
+   * The key id that should be used for signing. You need to make sure the kid actuall matches
+   * with the key associated with the leaf certificate.
+   */
+  kid?: string
 }
 
 export type JwtSignerFederation = {
   method: 'federation'
   trustChain?: [string, ...string[]]
   alg: string
+
+  /**
+   * The key id that should be used for signing. You need to make sure the kid actuall matches
+   * with a key present in the federation.
+   */
   kid: string
 }
 
 // In case of custom nothing will be added to the header
 export type JwtSignerCustom = {
   method: 'custom'
   alg: string
+
+  /**
+   * The key id that should be used for signing.
+   */
+  kid?: string
 }
 
 export type JwtSigner = JwtSignerDid | JwtSignerJwk | JwtSignerX5c | JwtSignerFederation | JwtSignerCustom

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +"@openid4vc/oauth2": patch
 +---
++
 +feat: add `kid` to the JwtSigner interface
Original file line number	Diff line number	Diff line change
`@@ -124,6 +124,7 @@ export function jwtSignerFromJwt({`
`124`	`124`	`alg: header.alg,`
`125`	`125`	`method: 'x5c',`
`126`	`126`	`x5c: header.x5c,`
	`127`	`+ kid: header.kid,`
`127`	`128`	`},`
`128`	`129`	`})`
`129`	`130`	`}`
`@@ -208,6 +209,7 @@ export function jwtSignerFromJwt({`
`208`	`209`	`return {`
`209`	`210`	`method: 'custom',`
`210`	`211`	`alg: header.alg,`
	`212`	`+ kid: header.kid,`
`211`	`213`	`}`
`212`	`214`	`}`
`213`	`215`