Clarify kid format for JWT token auth in docs

The kid value can have an arbitrary format according JOSE specification, but Docker distribution expects a specific format (libtrust fingerprint) to work. This is not written in the documentation so far and is only mentioned in the libtrust source code itself.

Signed-off-by: Fabio Huser <fabio@fh1.ch>
This commit is contained in:
Fabio Huser 2016-04-17 12:04:15 +02:00
parent 9d491698cc
commit 17756eb43e

View file

@ -69,8 +69,17 @@ Token has 3 main parts:
The header of a JSON Web Token is a standard JOSE header. The "typ" field The header of a JSON Web Token is a standard JOSE header. The "typ" field
will be "JWT" and it will also contain the "alg" which identifies the will be "JWT" and it will also contain the "alg" which identifies the
signing algorithm used to produce the signature. It will also usually have signing algorithm used to produce the signature. It also must have a "kid"
a "kid" field, the ID of the key which was used to sign the token. field, representing the ID of the key which was used to sign the token.
The "kid" field has to be in a libtrust fingerprint compatible format.
Such a format can be generated by following steps:
1. Take the DER encoded public key which the JWT token was signed against.
2. Create a SHA256 hash out of it and truncate to 240bits.
3. Split the result into 12 base32 encoded groups with `:` as delimiter.
Here is an example JOSE Header for a JSON Web Token (formatted with Here is an example JOSE Header for a JSON Web Token (formatted with
whitespace for readability): whitespace for readability):