[mitreid-connect] Keystore

Justin Richer jricher at mit.edu
Fri Aug 28 14:48:33 EDT 2015 

The “kid” field is what differentiates the keys when there are multiple ones there. I suppose you *could* just look at all the keys and pick whichever one is set up for “use:sig”, but then what do you do if you’ve got multiple “use:sig” keys and you need to sign something? Better to use an explicit identifier, which MITREid Connect requires in its keystores for this purpose. Also, OIDC requires the use of the “kid” field in the ID token to indicate which key was used to sign the token if there are more than one to choose from in the JWK set:

http://openid.net/specs/openid-connect-core-1_0.html#Signing

We currently only support one signing key at a time (and only one encryption key for that matter), but multiple can be in the store and published. The JWK endpoint will publish all available public keys in the keystore. The public keys are generated by reading the public/private keypairs and stripping out the private key information, as you discovered. 

The “defaultSigningAlgorithm” property does not select the key, it selects the signature algorithm applied to server-signed objects (like ID tokens) if there isn’t one specified by the client’s specific configuration.

As for the error, it looks like our underlying JOSE library is perhaps too strict in its parsing, so you may want to file a bug on their end. However, none of our production systems have used the “use” field.

 — Justin


> On Aug 28, 2015, at 2:09 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
> 
> Hi,
> 
> One minor thing, but that surprisingly is generating quite a few emails internally, is indirectly related to the configuration below (crypto-config.xml):
> 
> <bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService">
> <constructor-arg name="keyStore" ref="defaultKeyStore" />
> <property name="defaultSignerKeyId" value="rsa1" />
>   <property name="defaultSigningAlgorithmName" value="RS256" />
> </bean>
> 
> Question: can “use”: “sig” (as defined in https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41 <https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41>) be used as discriminator for the signing key? In other words, why use the key ID and algorithm?
> 
> If multiple keys with “use”: “sig” may be present, how does the client know which one returned from "jwks_uri":"http://localhost:8080/ldap-openid-connect-server/jwk” (from well-known endpoint) should be used? We’ve noticed that that endpoint seems to be returning all keys (we haven’t tested other private keys but at least for the one used for signing the private modulus is removed, as expected). 
> 
> Regards,
> Luiz
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20150828/d7a1706c/attachment-0001.html

More information about the mitreid-connect mailing list