<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0);">
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Hi,</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">One minor thing, but that surprisingly is generating quite a few emails internally, is indirectly related to the configuration below (crypto-config.xml):</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">
<div><span class="Apple-tab-span" style="white-space:pre"></span><bean id="defaultsignerService" class="org.mitre.jwt.signer.service.impl.DefaultJWTSigningAndValidationService"></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><constructor-arg name="keyStore" ref="defaultKeyStore" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span><property name="defaultSignerKeyId" value="rsa1" /></div>
<div> <span class="Apple-tab-span" style="white-space:pre"> </span><property name="defaultSigningAlgorithmName" value="RS256" /></div>
<div><span class="Apple-tab-span" style="white-space:pre"></span></bean></div>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Question: can “use”: “sig” (as defined in <a href="https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41">https://tools.ietf.org/html/draft-ietf-jose-json-web-key-41</a>) be used as discriminator
for the signing key? In other words, why use the key ID and algorithm?</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div>If multiple keys with “use”: “sig” may be present, how does the client know which one returned from <span class="sObjectK" id="s-266" style="box-sizing: border-box; font-weight: 700; color: rgb(51, 51, 51); line-height: 22.8571434020996px; widows: 1;">"jwks_uri"</span><span class="sColon" id="s-267" style="box-sizing: border-box; color: rgb(102, 102, 102); line-height: 22.8571434020996px; widows: 1;">:</span><span class="sObjectV" id="s-268" style="box-sizing: border-box; color: rgb(85, 85, 85); line-height: 22.8571434020996px; widows: 1;">"http://localhost:8080/ldap-openid-connect-server/jwk”</span> (from
well-known endpoint) should be used? We’ve noticed that that endpoint seems to be returning all keys (we haven’t tested other private keys but at least for the one used for signing the private modulus is removed, as expected). </div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;"><br>
</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Regards,</div>
<div style="font-size: 14px; font-family: Calibri, sans-serif;">Luiz</div>
</body>
</html>