[mitreid-connect] JWT Signatures - which public key?
Yannick Béot
yannick.beot at gmail.com
Tue Oct 11 16:59:34 EDT 2016
If you use JWSVerificationKeySelector from Nimbus to check the JWT (as
stated
http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens),
you should be fine..
JWSKeySelector is filtering keys with a JWKMatcher which checks the
kid (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562)
JWSVerificationKeySelector is responsible for creating the JWKMatcher
based on information from the signature, and especially the kid
(https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70)
@Luiz: what are you using to validate the token?
On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer <jricher at mit.edu> wrote:
> The “kid” will be in the header of the JWT you’re validating. I think
> we’ve got a long-standing issue to enforce that check in the client
> library, but it should still work as-is.
>
> — Justin
>
> On Oct 11, 2016, at 12:27 PM, Luiz Omori <luiz.omori at duke.edu> wrote:
>
> Well, which “kid” value should we look for? I checked the
> <root>/.well-known/openid-configuration and although it lists the jwk
> endpoint we couldn’t find the “kid” anywhere. Does it mean this info has to
> be transmitted offline?
>
> {
> "keys":[
> {
> "alg":"RS256",
> "e":"xxx",
> "n":"xxx”,
> "kty":"RSA",
> "use":"enc",
> *"kid":"mc.duke.edu <http://mc.duke.edu/>"*
> },
> {
> "e":"xxx",
> "n":"xxx”,
> "kty":"RSA",
> *"kid":"Test1"*
> },
> {
> "e":"xxx",
> "n":"xxx”,
> "kty":"RSA",
> *"kid":"Test2"*
> },
> {
> "e":"xxx",
> "n":"xxx",
> "kty":"RSA",
> *"kid":"rsa1"*
> }
> ]
> }
>
> *From: *"yannick.beot at gmail.com" <yannick.beot at gmail.com>
> *Date: *Tuesday, October 11, 2016 at 12:16 PM
> *To: *Luiz Omori <luiz.omori at duke.edu>, "mitreid-connect at mit.edu" <
> mitreid-connect at mit.edu>
> *Subject: *RE: [mitreid-connect] JWT Signatures - which public key?
>
> There is a key id present in the header that is interpreted by Nimbus:
> https://tools.ietf.org/html/rfc7515#section-4.1.4
> <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=>
>
> You should use it to differentiate the keys.
>
>
> Envoyé de mon téléphone Windows 10
>
> *De : *Luiz Omori <luiz.omori at duke.edu>
> *Envoyé le :*mardi 11 octobre 2016 18:04
> *À : *mitreid-connect at mit.edu
> *Objet :*[mitreid-connect] JWT Signatures - which public key?
>
> Hi,
>
> In our implementation, the RS upon receiving a request it first validates
> the access token signature locally before introspecting it. To perform the
> signature validation we use a previously retrieved public key. The issue we
> are facing is that in our case the <root>/jwk endpoint is returning
> multiple keys. How do we figure out which one should be used? Should we
> check the “use” field? If yes, is there a standard value to check for?
>
> Regards,
> Luiz
>
> _______________________________________________
> mitreid-connect mailing list
> mitreid-connect at mit.edu
> http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161011/b2be46eb/attachment-0001.html
More information about the mitreid-connect
mailing list