From b82da3ebf3ef0060f840b158030b0ae887955f9f Mon Sep 17 00:00:00 2001
From: Jichao Ouyang <oyanglulu@gmail.com>
Date: Tue, 14 Oct 2025 12:56:10 +1100
Subject: [PATCH 1/2] fix: add test case when header try to overrid `kid`

---
 token/jwt/jwt_test.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/token/jwt/jwt_test.go b/token/jwt/jwt_test.go
index 1939d7bba..597add2f1 100644
--- a/token/jwt/jwt_test.go
+++ b/token/jwt/jwt_test.go
@@ -21,6 +21,7 @@ import (
 var header = &Headers{
 	Extra: map[string]interface{}{
 		"foo": "bar",
+		"kid": "try-override-key-id",
 	},
 }
 

From 678262da4f8be780a6e4f304bd0643faac66abaa Mon Sep 17 00:00:00 2001
From: Jichao Ouyang <oyanglulu@gmail.com>
Date: Tue, 14 Oct 2025 13:05:56 +1100
Subject: [PATCH 2/2] fix: should not allow kid override by header parameter

---
 token/jwt/jwt.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/token/jwt/jwt.go b/token/jwt/jwt.go
index 9c5aa5775..538287ade 100644
--- a/token/jwt/jwt.go
+++ b/token/jwt/jwt.go
@@ -48,8 +48,10 @@ func (j *DefaultSigner) Generate(ctx context.Context, claims MapClaims, header M
 
 	switch t := key.(type) {
 	case *jose.JSONWebKey:
+		header.Add("kid", t.KeyID)
 		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case jose.JSONWebKey:
+		header.Add("kid", t.KeyID)
 		return generateToken(claims, header, jose.SignatureAlgorithm(t.Algorithm), t)
 	case *rsa.PrivateKey:
 		return generateToken(claims, header, jose.RS256, t)