From 18bc01fc3d2dcf6a5fd7dd5685b5092bfaa26060 Mon Sep 17 00:00:00 2001
From: Graham Leggett <minfrin@apache.org>
Date: Fri, 19 May 2023 10:24:27 +0000
Subject: [PATCH] Sign with the signer key. Previously the verify key was used,
 which only worked if the signing and verifying keys were the same.

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1909926 13f79535-47bb-0310-9956-ffa450edef68
---
 modules/aaa/mod_autht_jwt.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/aaa/mod_autht_jwt.c b/modules/aaa/mod_autht_jwt.c
index f48bdd698fc..f1754cfb5c5 100644
--- a/modules/aaa/mod_autht_jwt.c
+++ b/modules/aaa/mod_autht_jwt.c
@@ -616,8 +616,9 @@ static const char *jwt_get_token(request_rec *r)
         return "error:no-claims";
     }
 
-    if (conf->verifies_set) {
-        srec = (auth_bearer_signature_rec *)conf->verifies->elts;
+    /* sign with the first key, if present */
+    if (conf->signs_set) {
+        srec = (auth_bearer_signature_rec *)conf->signs->elts;
     }
 
     /* create a JWT containing the claims */
-- 
2.47.2