[mitreid-connect] JWT Signatures - which public key?

Luiz Omori luiz.omori at duke.edu
Tue Oct 11 12:27:15 EDT 2016 

Well, which “kid” value should we look for? I checked the <root>/.well-known/openid-configuration and although it lists the jwk endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to be transmitted offline?

{
  "keys":[
    {
      "alg":"RS256",
      "e":"xxx",
      "n":"xxx”,
      "kty":"RSA",
      "use":"enc",
      "kid":"mc.duke.edu"
    },
    {
      "e":"xxx",
      "n":"xxx”,
      "kty":"RSA",
      "kid":"Test1"
    },
    {
      "e":"xxx",
      "n":"xxx”,
      "kty":"RSA",
      "kid":"Test2"
    },
    {
      "e":"xxx",
      "n":"xxx",
      "kty":"RSA",
      "kid":"rsa1"
    }
  ]
}

From: "yannick.beot at gmail.com" <yannick.beot at gmail.com>
Date: Tuesday, October 11, 2016 at 12:16 PM
To: Luiz Omori <luiz.omori at duke.edu>, "mitreid-connect at mit.edu" <mitreid-connect at mit.edu>
Subject: RE: [mitreid-connect] JWT Signatures - which public key?

There is a key id present in the header that is interpreted by Nimbus: https://tools.ietf.org/html/rfc7515#section-4.1.4<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=>

You should use it to differentiate the keys.


Envoyé de mon téléphone Windows 10

De : Luiz Omori<mailto:luiz.omori at duke.edu>
Envoyé le :mardi 11 octobre 2016 18:04
À : mitreid-connect at mit.edu<mailto:mitreid-connect at mit.edu>
Objet :[mitreid-connect] JWT Signatures - which public key?

Hi,

In our implementation, the RS upon receiving a request it first validates the access token signature locally before introspecting it. To perform the signature validation we use a previously retrieved public key. The issue we are facing is that in our case the <root>/jwk endpoint is returning multiple keys. How do we figure out which one should be used? Should we check the “use” field? If yes, is there a standard value to check for?

Regards,
Luiz

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161011/8509e98a/attachment-0001.html

More information about the mitreid-connect mailing list