[mitreid-connect] JWT Signatures - which public key?

Justin Richer jricher at mit.edu
Wed Oct 12 08:23:52 EDT 2016 

Because the roles are reversed for things like request objects, and the 
whole thing is set up with a common keystore for convenience. We're not 
likely to change the structure.

  -- Justin


On 10/12/2016 4:14 AM, Yannick Béot wrote:
> Justin,
>
> I have created an issue (#1132).
> I have had a quick look at the code. My first idea would be to 
> separate the validation and signing logic in 
> DefaultJWTSigningAndValidationService.
>
> How come both are merged in the same class? It is pretty separated in 
> the class with 2 list (signers & validers).
> Either you sign (IdP) or either you validate (RP or RP authenication 
> by JWT).
>
> Yannick
>
>
>
>
>
> On Wed, Oct 12, 2016 at 6:36 AM, <yannick.beot at gmail.com 
> <mailto:yannick.beot at gmail.com>> wrote:
>
>     No problem.
>
>     I’ll have a look and file an issue if needed
>
>     Envoyé de mon téléphone Windows 10
>
>     *De : *Justin Richer <mailto:jricher at mit.edu>
>     *Envoyé le :*mardi 11 octobre 2016 23:05
>     *À : *Yannick Béot <mailto:yannick.beot at gmail.com>
>     *Cc : *Luiz Omori <mailto:luiz.omori at duke.edu>;
>     mitreid-connect at mit.edu <mailto:mitreid-connect at mit.edu>
>     *Objet :*Re: [mitreid-connect] JWT Signatures - which public key?
>
>     Yannick, thanks for that pointer. Could you please add an issue to
>     the MITREid Connect project to use those classes? The references
>     will be helpful as well.
>
>      — Justin
>
>         On Oct 11, 2016, at 4:59 PM, Yannick Béot
>         <yannick.beot at gmail.com <mailto:yannick.beot at gmail.com>> wrote:
>
>         If you use JWSVerificationKeySelector from Nimbus to check the
>         JWT (as stated
>         http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens
>         <http://connect2id.com/products/nimbus-jose-jwt/examples/validating-jwt-access-tokens>),
>         you should be fine..
>
>         |JWSKeySelector||is filtering keys with a JWKMatcher ||which checks the kid
>         (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562
>         <https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/jwk/JWKMatcher.java?at=4.15&fileviewer=file-view-default#JWKMatcher.java-562>)
>         |
>
>         JWSVerificationKeySelector is responsible for creating the |JWKMatcher ||based on information from the signature, and especially the
>         kid
>         (https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70
>         <https://bitbucket.org/connect2id/nimbus-jose-jwt/src/3810eb0a96565e7768cd54bf734dfea373ecc561/src/main/java/com/nimbusds/jose/proc/JWSVerificationKeySelector.java?at=4.15&fileviewer=file-view-default#JWSVerificationKeySelector.java-70>)|
>
>         |@Luiz: what are you using to validate the token? |
>
>           
>
>         On Tue, Oct 11, 2016 at 9:13 PM, Justin Richer
>         <jricher at mit.edu <mailto:jricher at mit.edu>> wrote:
>
>             The “kid” will be in the header of the JWT you’re
>             validating. I think we’ve got a long-standing issue to
>             enforce that check in the client library, but it should
>             still work as-is.
>
>              — Justin
>
>                 On Oct 11, 2016, at 12:27 PM, Luiz Omori
>                 <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>> wrote:
>
>                 Well, which “kid” value should we look for? I checked
>                 the <root>/.well-known/openid-configuration and
>                 although it lists the jwk endpoint we couldn’t find
>                 the “kid” anywhere. Does it mean this info has to be
>                 transmitted offline?
>
>                 {
>
>                   "keys":[
>
>                     {
>
>                       "alg":"RS256",
>
>                       "e":"xxx",
>
>                       "n":"xxx”,
>
>                       "kty":"RSA",
>
>                       "use":"enc",
>
>                 *"kid":"mc.duke.edu <http://mc.duke.edu/>"*
>
>                     },
>
>                     {
>
>                       "e":"xxx",
>
>                       "n":"xxx”,
>
>                       "kty":"RSA",
>
>                 *"kid":"Test1"*
>
>                     },
>
>                     {
>
>                       "e":"xxx",
>
>                       "n":"xxx”,
>
>                       "kty":"RSA",
>
>                 *"kid":"Test2"*
>
>                     },
>
>                     {
>
>                       "e":"xxx",
>
>                       "n":"xxx",
>
>                       "kty":"RSA",
>
>                 *"kid":"rsa1"*
>
>                     }
>
>                   ]
>
>                 }
>
>                 *From:*"yannick.beot at gmail.com
>                 <mailto:yannick.beot at gmail.com>"
>                 <yannick.beot at gmail.com
>                 <mailto:yannick.beot at gmail.com>> *Date:*Tuesday,
>                 October 11, 2016 at 12:16 PM *To:*Luiz Omori
>                 <luiz.omori at duke.edu <mailto:luiz.omori at duke.edu>>,
>                 "mitreid-connect at mit.edu
>                 <mailto:mitreid-connect at mit.edu>"
>                 <mitreid-connect at mit.edu
>                 <mailto:mitreid-connect at mit.edu>> *Subject:*RE:
>                 [mitreid-connect] JWT Signatures - which public key?
>
>                 There is a key id present in the header that is
>                 interpreted by
>                 Nimbus:https://tools.ietf.org/html/rfc7515#section-4.1.4
>                 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7515-23section-2D4.1.4&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=946nVG8V76cufZ4NS83yWjsqNfm4xIW2uP9rsciX32I&s=HLXHrA80eziVyXZG3UyPxIKg-x7A1JpFPBB-62UILWw&e=>
>
>                 You should use it to differentiate the keys.
>
>                 Envoyé de mon téléphone Windows 10
>
>                 *De :*Luiz Omori <mailto:luiz.omori at duke.edu> *Envoyé
>                 le :*mardi 11 octobre 2016 18:04
>                 *À :*mitreid-connect at mit.edu
>                 <mailto:mitreid-connect at mit.edu>
>                 *Objet :*[mitreid-connect] JWT Signatures - which
>                 public key?
>
>                 Hi,
>
>                 In our implementation, the RS upon receiving a request
>                 it first validates the access token signature locally
>                 before introspecting it. To perform the signature
>                 validation we use a previously retrieved public key.
>                 The issue we are facing is that in our case the
>                 <root>/jwk endpoint is returning multiple keys. How do
>                 we figure out which one should be used? Should we
>                 check the “use” field? If yes, is there a standard
>                 value to check for?
>
>                 Regards,
>
>                 Luiz
>
>                 _______________________________________________mitreid-connect
>                 mailing list mitreid-connect at mit.edu
>                 <mailto:mitreid-connect at mit.edu>
>                 http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>                 <http://mailman.mit.edu/mailman/listinfo/mitreid-connect>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20161012/6753ebd9/attachment-0001.html

More information about the mitreid-connect mailing list