Double Base64 Encoding of JWK Thumbprint When Assigning kid

[lionick]

The JWK.thumbprint() function already returns a base64url-encoded hash (via b64e()).

JWTConnect-Python-CryptoJWT/src/cryptojwt/jwk/__init__.py

Line 270 in 2b735fe

return b64e(DIGEST_HASH[hash_function](_json))

However, when code later does:
self.kid = b64e(self.thumbprint("SHA-256")).decode("utf8")
it is applying b64e a second time on the thumbprint, which is already base64url-encoded.

(

JWTConnect-Python-CryptoJWT/src/cryptojwt/jwk/__init__.py

Line 277 in 2b735fe

self.kid = b64e(self.thumbprint("SHA-256")).decode("utf8")

)

Is this something made on purpose?

[jschlyter]

Not on purpose, please submit a PR if you can.

[lionick]

My main concern is that making this change could trigger the generation of new keys(?), which may lead to unintended side effects.

[jschlyter]

My main concern is that making this change could trigger the generation of new keys(?), which may lead to unintended side effects.

Once the kid has been generated, it is saved with the key. If one depend on a certain kid to be generated one might have other issues.